Idaho prison inmates exploited tablet vulnerability to steal $225,000 in credits

A group of 364 prison inmates housed across a series of Idaho corrections facilities collectively stole nearly $225,000 worth of digital credits by exploiting a vulnerability in tablets provided by a company called JPay, according to the Associated Press. JPay is a private company that provides digital services like email, music, games, and money transfer to prison inmates.

JPay provides inmates with access to the outside world, and prisons often adopt its services to help with rehabilitation and education. It does not appear to use taxpayer money to fund any of its services, nor does any of its revenue from digital sales typically go to the state. Instead, JPay will either let family members or friends of inmates purchase the tablet for them, or it will foot the bill for the device itself, as it did for 53,000 inmates in the New York State prison system earlier this year.

 Image: JPlay

The company appears to earn revenue in part by charging inmates for email use and digital media downloads, using a credit system to do so. “Having one of these tablets helps your loved ones pass the time, keep engaged and stay connected to you,” reads the company’s product page for the JP5 tablet.

By “intentionally exploiting a vulnerability within JPay to improperly increase their JPay account balances,” hundreds of inmates were credit their own accounts, Idaho Department of Correction spokesman Jeff Ray explained in a statement.

It’s not immediately clear what the vulnerability was, or how so many different inmates were able to exploit it, though presumably there was some form of clandestine communication about the hack being passed between inmates across various facilities. JPay has recovered around $65,000 worth of the credits, and it has suspended inmates’ ability to use those credits to download music and mobile games until the company has been compensated for its losses. Inmates are still allowed to use email, the report states.

According to the AP, most inmates gave themselves $1,000 in credits, while the largest amount was just under $10,000 worth. “This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Ray added.