The Idaho Department of Corrections thought they were being generous to inmates when they decided to allow them to utilize tablets to electronically communicate with their family and friends, listen to digital music and play games, but they didn’t realize just how generous they were being. The agency did not foresee a massive and widespread exploitation of these devices that has since resulted in losses totaling over $225,000.
Inmates across Idaho’s correctional facilities quickly discovered an unidentified vulnerability within the JPay tablets that allowed them to gain actual currency. JPay, the private company that provided the services on the tablets, has not yet provided details about the vulnerability.
At least 364 different inmates exploited the vulnerability, hacked the tablets and deposited currency into their accounts. At least 50 of the inmates transferred amounts greater than $1,000. One brave individual successfully transferred nearly $10,000 into his account. Overall, almost $225,000 was transferred into the various accounts. Each transfer was an individual transaction, so it required action by the specific inmate to exploit the system. Investigators are still working to figure out how the inmates were crediting their accounts and how the credit exploit information was circulated to so many inmates.
JPay has temporarily suspended their crediting system until they figure out how inmates were making these transactions. So far, the company has managed to recover about $65,000.
Everyone implicated in the scheme is already serving jail time, but the Idaho Department of Corrections did issue disciplinary records to multiple offenders involved.