A hacker has reportedly provided journalists with login credentials and other data stolen from the servers of Securus, a company that was recently revealed to have been selling cellphone location information to U.S. law enforcement agencies without a warrant.
The hacker reportedly provided Motherboard with several internal files, including a database of over 2,800 Securus usernames—primarily government agencies, sheriffs departments, and local law enforcement. The customer info dates back to 2011, Motherboard reported. Information about Securus employees, including their personal email addresses, were also reportedly stolen.
The New York Times reported last week that Securus had managed to gain people’s location data via telecom companies through a service that allows customers to ping cellphones and exact their location via their proximity to cell towers. This capability is generally reserved for marketing purposes or for companies that offer roadside assistance; however, the loophole has also enabled Securus to provided that same information to police without a warrant.
Motherboard said it verified the data provided by the hacker by using a forgotten password feature on the Securus website. When an address of someone who is not a Securus customer is entered, the page returns an error; however, the addresses provided by the hacker checked out, seemingly confirming that the stolen data is real.
It is not totally clear how many of these users have access to Securus’ phone location service. But other parts of the data indicate that many of the users are likely to be working in prisons: some of the users’ roles are marked as “jail administrator,” “jail captain,” and “deputy warden.” On its website, Securus markets its “Location Based Services” product to prisons so staff can know where inmates are calling.
The website listed Minneapolis, Phoenix, Indianapolis as cities impacted by the breach.
Securus, a Dallas-based company, has marketed its services to, among others, prison facilities; it asserts it does so to offer prison officials a means to monitor for escape attempts and smuggling operations. A chief deputy at the Pinal County Sheriff’s Office in Arizona told the Times that Securus’ service had been used successfully in one case to locate a suspect who allegedly mailed a letter to an inmate containing methamphetamine.
Sen. Ron Wyden, a leading lawmaker on privacy issues, has asked the Federal Communications Commission to investigate wireless carriers working with Securus. In a letter provided to Gizmodo, Wyden called the practice of supplying location data without a warrant “abusive and potentially unlawful.”
Securus could not be immediately reached for comment.