Cyber Incident Victim: Securus Technologies
Date:
May 2018
Location:
United States of America
Summary
A hacker breached a company providing law enforcement phone tracking services, stealing credentials and sensitive data from thousands of law enforcement customers across U.S. sheriff departments, local counties, and city agencies. The compromised information included usernames, email addresses, phone numbers, and weakly secured MD5-hashed passwords—some already cracked—alongside security questions, exposing government personnel and internal staff. Verification confirmed the data’s validity through the company’s password recovery system. The breach highlighted critical security deficiencies in a system enabling surveillance of mobile devices nationwide, including within prisons for inmate call tracking. While the company found no evidence of location service data compromise, it temporarily disabled access to geolocation features. Concerns were raised about unauthorized surveillance risks due to inadequate access controls and potential misuse of exposed credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 16, 2018, a hacker breached the systems of Securus Technologies, a company providing phone tracking services to law enforcement agencies across the United States. The attacker exfiltrated internal company files containing sensitive credentials of Securus customers, including over 2,800 usernames, email addresses, phone numbers, hashed passwords, and security questions spanning from 2011 to 2018. The compromised credentials primarily belonged to US government entities such as sheriff departments, county offices, and city law enforcement agencies in locations including Minneapolis, Phoenix, and Indianapolis. Some credentials also corresponded to Securus employees and individuals using personal email accounts not explicitly tied to government agencies. The stolen password hashes utilized the vulnerable MD5 algorithm, which allowed attackers to potentially crack the original passwords. Evidence suggested some passwords had already been decrypted, though it remained unclear whether the hacker or Securus itself had stored them in this state. Motherboard verified the authenticity of the stolen credentials by successfully initiating password resets through Securus' website using the compromised data.
Securus confirmed unauthorized access to a dataset and temporarily disabled its Location Based Services product as a precaution, though it stated no evidence linked the breach to this specific tracking system. The company obtained location data from major telecommunications providers like AT&T, Sprint, T-Mobile, and Verizon, marketing its services to prisons for monitoring inmate call locations and to law enforcement for nationwide phone tracking with minimal oversight. Prior misuse of Securus' systems had been documented, including a case where a former Missouri sheriff tracked other law enforcement officials' phones without authorization. The breach exposed critical vulnerabilities in a company handling highly sensitive surveillance capabilities, including the ability to track mobile devices even when GPS was disabled. While the full scope of compromised system access remained unclear, the incident highlighted security deficiencies in an entity managing extensive location data aggregation for government clients.