Securus Technologies is a Texas-based company, specializing in providing and monitoring calls to prison inmates. Securus came into the spotlight earlier this month, when a former Missouri sheriff was found using the company's service to repeatedly to track people without a warrant. The New York Times reports that between 2014 and 2017, former sheriff Cory Hutcheson used the service at least 11 times, allegedly tracking a judge and members of the State Highway Patrol.
Securus obtains tracking information through a company called LocationSmart, which in turn has agreements with most U.S. carriers. Earlier this month, Senator Ron Wyden of Oregon wrote a letter to various carriers asking them independently verify that these requests are made lawfully. "I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government."
He wrote an additional letter to the FCC, calling on the agency to "promptly investigate Securus, the wireless carriers’ failure to maintain exclusive control over law enforcement access to their customers’ location data, and also conduct a broad investigation into what demonstration of customer consent, if any, each wireless carrier requires from other companies before the carries provide them with customer location information and other data."
Only days after the letter was sent, a hacker broke into the company's servers. He provided some of the data to Motherboard, including a spreadsheet marked "police" with over 2,800 usernames, email addresses, hashed passwords, phone numbers, and security questions of Securus users.
The passwords were encrypted using MD5, which has repeatedly been proven to be insecure. That isn't the only careless mistake the company made; an online Securus user manual shows screenshots for one of its products, but instead of using fake information, the images include the real name, address, and phone number of a specific woman.
As previously mentioned, Securus obtains tracking information through another company called LocationSmart. On its website, LocationSmart boasts access to 95% of all cross-carrier traffic, 100% of all device types, and a total reach of 15 billion devices. The company partners with all major U.S. carriers, as well as US Cellular, Virgin, Boost, and MetroPCS to obtain data. LocationSmart even has agreements with some Canadian carriers, like Bell, Rogers, and Telus.
