When JPay launched a tablet which could help rehabilitate inmates in the prisons of the USA by helping them communicate with people outside, it might not have imagined that these tablets would be used for stealing. Sadly that has happened and inmates in different correction across the state of Idaho have stolen more than $225,000 in credits by exploiting a vulnerability in the tablet.
Jeff Ray of Idaho Department of Correction informs that more than 350 inmates were able to “intentionally [exploited] a vulnerability within JPay to improperly increase their JPay account balances“. Ideally, these credits are either topped up by the friends or relatives of these inmates or occasionally donated by the company itself.
The tablets including JPay’s JPlay allows inmates to enjoy services such as music, email, games, while the company generates revenue by facilitating transactions between inmates and their family. These transactions are in form of credits and not regular money and can be used for availing JPay’s services. “Having one of these tablets helps your loved ones pass the time, keep engaged and stay connected to you“, says the product page for one of JPay’s tablets.
The nature of the vulnerability is not confirmed but it seems that 350+ prisoners were able to exploit it by sharing some sort of common hack. This hack was covertly shared between inmates in different facilities. While most inmates were content with stealing $1,000 worth of credits, some couldn’t resist the greed for stealing more. As per the company, the highest amount stolen was $10,000.
As of now, the company is engaged in recovering the lost credits and has already reclaimed credits worth more than $65,000. It has removed the facility for downloading music and games for all inmates until its losses are recovered.
Meanwhile, JPay’s email service is still active, reports Associated Press, which shows that despite the hijacking, the company is still empathetic towards prisoners and does not want to prevent them from being in touch with their family – even though the hack could have been shared between facilities using the very service.