Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Kentucky Prisoners Hack State-Issued Tablets to Create $1M

An anonymous tip on Jan. 3, 2023, alerted Kentucky corrections officials that prisoners had hacked state-issued, for-profit computer tablets and spent nearly $88,000 of fraudulent money on digital media products.

Almost nobody outside of the Kentucky Department of Corrections has heard about how several hundred prison inmates hacked their state-issued, for-profit computer tablets to create more than $1 million that didn’t really exist.

The “dollars” were used for the purchase of expensive email and video visits with their loved ones, as well as games, music and movies.

By the time state officials learned what was happening — when they got an anonymous tip on Jan. 3, 2023 — the prisoners had spent nearly $88,000 on digital media products, according to a review of more than 1,700 pages of internal investigative records the Herald-Leader obtained through the Kentucky Open Records Act.

For the next six months, the Department of Corrections and Securus Technologies, the Texas company behind the tablets, struggled to figure out who bought what with stolen money and how it might be recovered.

“What a mess,” Amanda Sayle, the department’s director of information services, emailed a colleague, information systems supervisor Jeremy Shuck, on Jan. 5, 2023.

“I know,” Shuck replied.

This wasn’t the first time inmates outfoxed Securus.

In 2018, several hundred Idaho prisoners did much the same thing, hacking tablets provided by JPay, a related company, to transfer roughly $225,000 into their digital media accounts that didn’t really exist, then going on a spending spree.

Inmates Now Face Liens


Securus Technologies, headquartered in Plano, Texas, did not respond to requests for comment. The company is owned by Platinum Equity, a private equity firm with over $48 billion in assets.

Kentucky Corrections Commissioner Cookie Crews and other state officials declined to be interviewed for this story.

In a series of email exchanges with the Herald-Leader, a spokeswoman for the Justice and Public Safety Cabinet, which oversees the Department of Corrections, said no taxpayer money was lost in the hacking, which she referred to as a “software glitch.”

Only Securus can explain what it did to help retrieve the stolen funds, said cabinet spokeswoman Morgan Hall, referring questions to the company.

In some cases, Hall added, the Department of Corrections has placed liens on inmates’ prison commissary accounts, where loved ones deposit money that inmates use to purchase snacks, toiletries and other tangible items, and it has been deducting funds from these accounts to gradually clear the tablet-related debts.

The debt collection continues today, Hall added.

Prison officials “prohibited the inmates involved from accessing their tablets for over three months, and any inmate who still owes money is prohibited from using the phone system until their debt is paid off,” Hall said.

How the Hack Worked


Securus won its first contract in 2006 to sell for-profit inmate telephone service to all Kentucky prisons. Later, it branched out to sell other digital products to this captive audience. It struck similar deals with local jails across the state, including the city of Lexington’s.

Prisoners are a lucrative source of income, Securus told potential investors around the time it entered Kentucky.

“The corrections industry has experienced sustained growth over the last decade as a result of societal and political trends,” the company said in a public filing. “Anti-crime legislation, limitations on parole, and spending authorizations for crime prevention and construction of additional correctional facilities have contributed to this industry growth.”

As part of its contract with the Department of Corrections, Securus promises the state a cut of the money it collects from inmates.

Since 2020, the company has paid the state $22.3 million, according to financial data the Herald-Leader obtained under the Open Records Act.

On Dec. 9, 2022, to help this cash flow more smoothly, the Department of Corrections loaded a new app on inmates’ tablets.

The app let inmates transfer money from their commissary accounts, where loved ones deposit money for them to buy tangible items from the prison canteens, into their Securus accounts, where they can buy digital products from the company on their tablets.

Within 24 hours, the first inmate outsmarted Securus by figuring out how to hack the app.

LaDaniel Brown, a 30-year-old Bowling Green man, had a commissary account balance of $0 at the 1,200-bed Luther Luckett Correctional Complex in Oldham County, where he was serving 30 years for child sexual abuse.

The lack of funds didn’t discourage Brown.

Playing around with the new app, Brown later told investigators, he discovered that if he a put a minus sign in front of a dollar figure as he transferred money from his commissary account, he would actually add that much money to both his commissary account and his Securus account.

Typing in “-$500” suddenly credited $500 to both of Brown’s accounts, money that didn’t really exist.

“Inmate Brown continued to make deposits by placing a minus sign in front of the amount,” investigators wrote in their report on the incident a month later, after interviewing him.

“Inmate Brown made a deposit for $100 dollars, $16 dollars, $1 dollar, $294 dollars, $300 dollars, $362.43 and $319.12,” they wrote. “The total amount of deposits that Inmate Brown made is $1,892.55. Inmate Brown also admitted to how easy it was.”

Prison Officials Didn’t Notice


Commissary accounts are used to buy real-life items, like toiletries and food. Kentucky inmates drop about $4 million a year at prison canteens, with the money required by law to be spent on programs and services for their own benefit. You can’t pass around too much money at a canteen before a guard notices.

In fact, when a Luther Luckett Correctional Complex inmate tried to buy $735 in snacks and drinks using the $2,400 he hacked into his commissary account through the new Securus app, he got caught right away.

But Securus accounts operate entirely in the digital realm, on tablets. Inmates shop and consume digital products from the relative privacy of their own cells.

Word quickly spread among inmates about how the tablets could be hacked. Games, movies and music could be purchased with money that didn’t exist an hour ago. So could video visits and email stamps.

Some inmates spent hundreds of fake dollars stocking up on email stamps so they could write home for free.

Over the next few weeks, according to one estimate prepared by internal investigators, 366 inmates collectively added $529,000 both to their commissary accounts and their Securus accounts, for a total of more than $1 million.

They quietly spent $87,959 on Securus digital media products without prison officials noticing.

In a 72-hour span, for example, inmate Jonce Adams went on a Securus spending spree, buying $250 in email stamps, $37 in games and more than $1,200 in music. Adams, who is serving 10 years for his role in a Bell County meth manufacturing ring, had loaded $1,700 onto his Securus account, investigators wrote in their report.

Most of the inmates were at Luther Luckett Correctional Complex, but a handful of others were at several other prisons around the state.

Their fun ended on Jan. 3, 2023. An anonymous email to prison officials revealed how the hack worked.

By the next morning, officials were frantically emailing each other — “ALERT!!!” — and making plans to seize the inmates’ tablets and shut down their accounts indefinitely.

In some cases, prison officials scrambled to get money back as fast as possible from inmates who were scheduled to go home.

“I have an inmate that was released today from DOC (the Department of Corrections). He is leaving with approximately $1,700 in arrears with Securus,” Michael McKinney, the agency’s director of administrative services, emailed to Amy Hewitt, a Securus executive, on March 21, 2023.

“If we can give you a list of outliers, we can reduce the loss in the end for both of us,” McKinney told Hewitt.

Three months later, on June 9, 2023, Hewitt proposed to McKinney that Securus and the Department of Corrections split between them any financial losses that could not be recovered.

“We will absorb the price for all other costs (games, movies, content delivery, stamps, etc.), but we request that KY cover 50 percent of the stolen music as that will help cover the licensing costs we are unable to get refunded,” Hewitt wrote to McKinney.

“I believe this sounds fair. Thoughts?” McKinney wrote to Shuck, his Department of Corrections colleague.

“I agree,” Shuck replied. “At most the inmates had just under a month to enjoy these purchases. I think if we are able to put a lien on their account to pay back the remainder of the balance, then they would get their tablet back once that is paid.”

Who Stole From Whom?


The Kentucky State Police and the FBI took an interest in the inmate hacking.

They met Feb. 22, 2023, with Luther Luckett Warden Amy Robey to ask her about Securus’ banking app and its now-obvious vulnerabilities. (Reached by phone recently, Robey declined to comment for this story.)

But nobody appears to have been criminally charged. The Department of Corrections ultimately declined to hand down much in the way of administrative penalties to the inmates involved.

In a long series of disciplinary proceedings handled by internal affairs, the inmates were sentenced to 15 days of disciplinary segregation — confinement alone in a cell. But those sentences were suspended for 90 days, provided the inmates committed no further infractions during that time.

Only a few inmates who were identified with stolen funds in their accounts acknowledged actively participating in the tablet hacking, internal investigators said.

“The majority of all inmates involved refused to answer questions, and other inmates stated they were not sure how the money got there, it just appeared,” investigators wrote in their report.

Bianca Tylek is executive director of Worth Rises, a nonprofit advocacy group that’s critical of what it calls “the prison industry.” Tylek said she would describe the hacking “more like a loss of revenue for Securus than a theft of funds.”

“This is lunacy, what these corporations are allowed to do to people who are incarcerated, and to their loved ones,” Tylek said.

“These are incredibly cheap services in the year 2024 — I mean, we’re talking about email and video chat — that would not require much of a state agency’s budget, and it would tremendously help us to keep an inmate’s family relationships stable for when they’re released. But we sell this to inmates at exorbitant prices to make a profit.”

“At some point you have to ask yourself, who’s really committed the crime here?” she said.



©2024 Lexington Herald-Leader. Distributed by Tribune Content Agency, LLC.
TNS
TNS delivers daily news service and syndicated premium content to more than 2,000 media and digital information publishers.