Fearing the spread of coronavirus, jails and prisons remain on lockdown. Visitors are unable to see their loved ones serving time, forcing friends and families to use prohibitively expensive video visitation services that often don’t work.
But now the security and privacy of these systems are under scrutiny after one St Louis-based prison video visitation provider had a security lapse that exposed thousands of phone calls between inmates and their families, but also calls with their attorneys that were supposed to be protected by attorney-client privilege.
HomeWAV, which serves a dozen prisons across the U.S., left a dashboard for one of its databases exposed to the internet without a password, allowing anyone to read, browse and search the call logs and transcriptions of calls between inmates and their friends and family members. The transcriptions also showed the phone number of the caller, which inmate, and the duration of the call.
Security researcher Bob Diachenko found the dashboard, which had been public since at least April, he said. TechCrunch reported the issue to HomeWAV, which shut down the system hours later.
In an email, HomeWAV chief executive John Best confirmed the security lapse.
“One of our third-party vendors has confirmed that they accidentally took down the password, which allowed access to the server,” he told TechCrunch, without naming the third-party. Best said the company will inform inmates, families and attorneys of the incident.
Somil Trivedi, a senior staff attorney at the ACLU’s Criminal Law Reform Project, told TechCrunch: “What we see again and again ..