A Shady Company Offering US Police Mobile Phone Location Data Was Reportedly Just Hacked

A Shady Company Offering US Police Mobile Phone Location Data Was Reportedly Just Hacked
Facebook may have decided that you shouldn’t see the news, but we think you deserve to be in the know with Gizmodo Australia’s reporting. To sign up for our daily newsletter covering the latest news, features and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Gizmodo Australia homepage to visit whenever you need a news fix.

A hacker has reportedly provided journalists with login credentials and other data stolen from the servers of Securus, a company that was recently revealed to be selling mobile phone location information to US law enforcement agencies without a warrant.

The hacker reportedly provided Motherboard with several internal files, including a database of over 2,800 Securus usernames – primarily government agencies, sheriffs departments, and local law enforcement. The customer info dates back to 2011, Motherboard reported. Information about Securus employees, including their personal email addresses, were also reportedly stolen.

The New York Times reported last week that Securus had managed to gain people’s location data via telecom companies through a service that allows customers to ping mobile phones and exact their location via their proximity to cell towers. This capability is generally reserved for marketing purposes or for companies that offer roadside assistance; however, the loophole has also enabled Securus to provided that same information to police without a warrant.

Motherboard said it verified the data provided by the hacker by using a forgotten password feature on the Securus website. When an address of someone who is not a Securus customer is entered, the page returns an error; however, the addresses provided by the hacker checked out, seemingly confirming that the stolen data is real.

Per Motherboard:

It is not totally clear how many of these users have access to Securus’ phone location service. But other parts of the data indicate that many of the users are likely to be working in prisons: some of the users’ roles are marked as “jail administrator,” “jail captain,” and “deputy warden.” On its website, Securus markets its “Location Based Services” product to prisons so staff can know where inmates are calling.

The website listed Minneapolis, Phoenix, Indianapolis as cities impacted by the breach.

Securus, a Dallas-based company, has marketed its services to, among others, prison facilities; it asserts it does so to offer prison officials a means to monitor for escape attempts and smuggling operations. A chief deputy at the Pinal County Sheriff’s Office in Arizona told the Times that Securus’ service had been used successfully in one case to locate a suspect who allegedly mailed a letter to an inmate containing methamphetamine.

Sen. Ron Wyden, a leading lawmaker on privacy issues, has asked the Federal Communications Commission to investigate wireless carriers working with Securus. In a letter provided to Gizmodo, Wyden called the practice of supplying location data without a warrant “abusive and potentially unlawful.”

Securus could not be immediately reached for comment.