MARION, OH — Two inmates at the Marion Correctional Institute secretly built personal computers and illegally connected them to the Ohio Department of Rehabilitation and Correction network to grant themselves and others access to various parts of the prison, a report from the Ohio Inspector General says. The prisoners hid the computers in a closet ceiling, atop plywood boards.

The inmates were part of a program called RET3, which disassembles out-of-date computer hard drives and other old technology like VCRs. The program was overseen by retired corrections employee Randy Canterbury, the Ohio Inspector General report says.

Using old parts, the inmates built their own computers and used them to hack the prison's network . In addition to gaining access to areas of the prison, the duo also stole another inmate's personal information and successfully applied for five credit cards in his name.

Officials became suspicious when additional hacking attempts were made on a Friday using Canterbury's credentials. Canterbury had a Monday-to-Thursday work week, making him an unlikely suspect. Officials discovered the computer using Canterbury's credentials was named "-lab9-" and was not authorized for operation.

Corrections officials became aware of the two hackers when employees got an email on July 3, 2015, saying that someone on the network had exceeded their daily internet usage threshold. The alert also said that Canterbury's credentials were being used to access the network. On July 4 and July 6, there were additional alerts saying someone was trying to get around the correction department's hacking defenses.

Carl Brady, a corrections department IT employee, found the two computers in the closet of the P3 training room. According to the inspector's report, this is how he did it:

After identifying the computer, the search for its location and user began. Information Technology workers began running traces to find the IP of the computer's last switch (where the computer connected to the internet). The search yielded results. The computer had been plugged into a switch in the P3 Training Room at Marion Correctional, where Canterbury had been based.

"They narrowed the search down to the switch in P3 and the switch was connected to port 16," Brady said in the report. "I was able to follow the cable from the switch to a closet in the small training room. When I removed the ceiling tiles I found two PCs hidden in the ceiling on two pieces of plywood."

Brady removed the computers from the ceiling and turned them over to the ODRC headquarters. He also wrote a report for Marion Correctional Institute's Warden Jason Bunting. A short investigation of the devices found the two computers had identity placards on them. One computer said it belonged to Shaker Heights City Schools, the other to Parker Hannifin Corporation's Wheel and Brake Division in Avon.

The Ohio State Highway Patrol's Computer Crimes Unit then took possession of the computers to analyze the data and image the hard drives. The Office of the Ohio Inspector General was asked to identify the hacking tools on the computer and find evidence of criminal wrongdoing.

The computers had been used in a variety of illegal ways, the Inspector General's investigation found. Here are some of the crimes committed using the computers:

The Inspector General found the computers had been used to research an inmate named Kyle Patrick. Using Patrick's personal information, someone had submitted five credit card applications. The applications used Patrick's social security number and asked for the cards to be mailed to an address in Dayton.

The computer had been used to research tax refund frauds and how inmates with a computer connection could illegally file tax returns in another person's name.

The computer users had also issued allowances for certain prisoners to get access to various parts of the Marion Correctional Institute.

The Inspector General also found two dozen malicious software programs installed on the computer. The programs included hacking aides, access to proxy servers, an email spamming tool, a text encrypter and decrypter, and a tool to crack logins.

The inmates were using all of the hacking tools and software to attack the ODRC network, the report says.

Officials also found evidence that the computers were used to send messages between an inmate named Adam Johnston and Johnston's mother.

Fighting Back

The Inspector General's office filed subpoenas with the five banks that had received credit card applications for Kyle Patrick. Law enforcement spoke with Patrick and he told officers that he had never met Johnston and had never been in prison with him.

Officials also tracked Johnston's communications with his mother. During the conversations, Johnston's mother said a credit card for Kyle Patrick had been declined, but a Visa credit card under Patrick's name had been received in Dayton.

The Ohio State Highway Patrol got a warrant to search Johnston's mother's house on Nov. 5, 2015. They found the Visa credit card in her home. Johnston's mother, Karen Gallienne, said she knew her son was sending her credit cards under the name Kyle Patrick. She said her son wanted to get her some money and "help her out."

Johnston was then transferred to the Grafton Correctional Institute. Marion Correctional Institute was also asked to deny phone and computer access to four other inmates.

Johnston reportedly told police he had been using the computers and he was the one who placed them in the closet ceiling.

During the interview with police, Johnston said he imaged another inmate's hard drive using a program called Acronis. He then took a network card from another computer and placed it in his device. He plugged his computer in the switch, used a remote desktop plugin and got access to the ODRC system.

The Ohio Inspector General's report says Johnston admitted to accessing the information on Kyle Patrick and how to file fraudulent tax returns. He also admitted to contacting his mother through the computer system.

Five inmates, including Johnston, were moved to different correctional institutes and were at least temporarily denied computer access.

"I Don't Have an Answer"

The Ohio Inspector General's report also shines a light on malpractice by the leadership of the Marion Correctional Institute during and before the investigation into the incident.

Marion Correctional Institute's Warden Jason Bunting took too long to report the possible cybercrimes, the Inspector General's report concludes. Bunting knew a possible crime was occurring when alerts began pouring in saying someone was trying to access the ODRC's system. Bunting also received information saying someone on the network was trying to apply for a credit card, which he told investigators was a "no-no."

"I knew obviously that illegal activity was going on," he reportedly told investigators. But when asked why he didn't contact Ohio State Highway Patrol immediately, he responded, "...I don't have that answer for you."

Bunting also said he had received a report from Brady on July 12, 2015, about the two computers located in the closet ceiling, but Bunting did not remember forwarding that report on to anyone else in ODRC.

Marion Correctional Institute Investigator Tim Rayburn also told investigators that the P3 closet scene was left unsecured and inmates were allowed into the area, before Ohio State Highway Patrol was notified of the reported hacks into the ODRC system.

When asked why Rayburn did not notify investigators of the incident, he said, "I don't have an answer for that."

Rayburn then told investigators that he had seen inmates using the P3 room without any supervision.

Brady, the man who found the computers, told investigators that he personally had not removed the computers from the ceiling, but had allowed two inmates to do so. He said he wasn't aware he was in a crime scene, yet he tagged the computers as contraband, the report says.

Ultimately, the report concludes that the response to the incident was "slow and improper." An Ohio State Highway Patrol officer is assigned to the Marion Correctional institute, and that officer was not informed of the cyberattacks or cybercrimes, the report says. Thus, the report finishes by saying the response to the incident was a willfully wrong act.

Conclusion

All corrections employees were recommended to receive training and education, as necessary, by the Ohio Inspector General. Inmates should also not be used in the installation or maintenance of hardware, software or information technology, the report says.

The ODRC should also be conducting a thorough inventory of all of Marion Correctional Institute's equipment at more regular intervals to ensure that equipment is not missing.

You can read the full Ohio Inspector General's report by clicking here.

Photo from Shutterstock