Idaho inmates hacked prison system to add money to their accounts

Get a copy of the upcoming book "Secure Operations Technology"

364 inmates at five correctional facilities in Idaho have managed to add nearly a quarter million dollars worth of credit to their JPay accounts by exploiting a vulnerability in the system, the Associated Press reported.

hacked prison system

What is JPay?

JPay is a US-based service provider that contracts with state Departments of Correction (DOC), county jails, and private federal prisons.

It provides tablets designed specifically for the corrections industry through which inmates can send emails or messages to their loved ones, buy music, play games, receive money to their commissary or trust account, and more (all for a fee, of course).

The inmates get the tablet and are allowed to use it, but they can’t access the Internet from it.

Hacked prison system

The inmates found a way to credit their accounts without paying for it.

Fifty inmates credited their accounts in amounts exceeding $1,000, and the largest amount credited by a single inmate was just under $10,000. In total, nearly $225,000 were added to the various accounts.

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Idaho Department of Correction spokesman Jeff Ray told the AP.

Security expert Jake Williams posited that the inmates’ credit balance is most likely stored on the tablet, in a SQLite database, and inmates figured out how to access it and change the numbers in their account.

The Idaho Department of Corrections has issued disciplinary reports to the inmates involved in the scheme and as a result of this they can lose some privileges and be reclassified to a higher security risk level.

JPay managed to recover over $65,000 worth of credits but is determined to get the rest of the money back from the hacking inmates. They can continue to send emails and messages to family and friends, but can’t buy music or access games until they pay the company back.