Officials say vulnerability in system used to pay for email, music and games was exploited to swipe nearly a quarter million dollars

This article is more than 2 years old

This article is more than 2 years old

Prison officials say 364 Idaho inmates hacked hand-held prison tablets and collectively transferred nearly a quarter million dollars worth of tablet credits, which can be used to purchase email, music and games, to their own accounts.



The department’s special investigations unit discovered the problem this month, and the improper conduct involved no taxpayer dollars, said Jeff Ray, a spokesman for the an Idaho department of correction.

The JPay tablets are popular in prisons across the country, and they are made available to Idaho prisoners through a contract with JPay, which provides digital services in prisons, and CenturyLink, a telecommunications company. Neither company immediately responded to a request for comment from the Associated Press.

The tablets allow prisoners to email their families and friends, purchase and listen to music or play simple electronic games.

The prisoners were “intentionally exploiting a vulnerability within JPay to improperly increase their JPay account balances”, Ray said in a prepared statement on Thursday. He said 50 prisoners credited their accounts in amounts exceeding $1,000; the largest amount credited by a single prisoner was just under $10,000.

The total amount was nearly $225,000.

Rise of the machines: has technology evolved beyond our control? Read more

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every prisoner who exploited the system’s vulnerability to improperly credit their account,” Ray said in a prepared statement.

So far, JPay has recovered more than $65,000 worth of credits, and the company has suspended the ability of the prisoners to download music and games until they compensate JPay for its losses, Ray said. The prisoners are still able to send and receive emails, however.

Meanwhile, the Idaho department of correction has issued disciplinary offense reports to the prisoners who were allegedly involved, which means they could lose privileges and may be reclassified to a higher security risk level.

The prisoners involved are housed at the Idaho State Correctional Institution, Idaho State Correctional Center, Idaho Correctional Institution-Orofino, South Idaho Correctional Institution and the Correctional Alternative Placement Plan facility operated by private prison company MTC Inc.