Idaho Inmates Exploit Tablet Software Flaw to Steal $225K

Over 360 inmates exploited a vulnerability in JPay, which prisoners use to access email, news, and entertainment, to manipulate the credit amounts in their JPay accounts.

Tablet computers and a software vulnerability were enough to help 364 prison inmates in Idaho collectively steal $225,000.

According to the Idaho Department of Correction, the inmates were caught earlier this month exploiting a vulnerability in their prison-issued tablets, which allowed them to manipulate the digital credits they used to buy games and music.

The tablets were issued by JPay, which specializes in offering an online system for prison inmates. The services on board the tablets can let inmates read and write emails, view educational materials, and access entertainment.

JPay Tablet

But apparently, the JPay system also contained a vulnerability involving account credit amounts, which inmates across five Idaho correctional facilities decided to hack. "Fifty inmates credited their accounts in amounts of more than $1,000. The highest amount credited by a single inmate was $9,990.35," Jeff Ray, spokesman for the Idaho Department of Correction, said in an email.

"This conduct was intentional, not accidental," he added. "It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system's vulnerability to improperly credit their account."

CenturyLink, which operates JPay, declined to disclose how the software was breached, but the vulnerability has been fixed, it said. The $225,000 was also stolen from the JPay system and was not taxpayer dollars.

So far, only $65,000 of the stolen credits has been recovered. As a punishment, Idaho correctional facilities have suspended the inmates' ability to download more music and games until they refund JPay. The inmates are also facing further disciplinary action that could reclassify the severity of their custody level.

About Michael Kan