Page 30 - Cyber Warnings December 2015
P. 30
Three Lessons We Can All Learn from the Securus Technology
Hack
Chris Pogue, Senior Vice President, Cyber Threat Analysis, Nuix
The recent news that telephone service provider Securus Technologies was hacked, just another in
a long line of companies to make this dubious claim, got me thinking more than usual about the
lessons that everyone should be learning from stories like it. Admittedly, part of my job is to pay
close attention to breaches and hacks in every industry, but this one crossed some very interesting
lines that I think will have some interesting repercussions to legal service providers.
As background, Securus Technologies provides a service it calls “Secure Call Platform” to prisons
in the United States. This service allows for monitoring and recording of calls to and by inmates in
these institutions, something I think most people wouldn’t have any issue with. After all, these are
convicted criminals—their privacy rights are forfeit upon criminal conviction and incarceration. Even
the people they are talking to are given notice that the phone calls are being monitored and
recorded, so there is no expectation of privacy.
What I believe to be the major issue is that a company that touts a “secure” service has all of a
sudden found itself looking at the compromise of more than 70 million records of phone calls.
Reportedly, those records include: the inmate’s name, the numbers they called, the date, time and
duration of the calls, and other metadata. It doesn’t stop there, however; the compromised records,
which were leaked by an unnamed hacker, contain links to recordings of the calls.
While it doesn’t sound any different from other breaches or data leaks that have been in the news,
there are some important legal concerns that surface we look more closely at the Securus breach.
Lesson 1: Unfair or Deceptive Practices
I hinted at it above—companies have an obligation to be honest with their potential customers about
the services they provide. When a breach occurs, organizations are increasingly being scrutinized
for their defensive countermeasures, but also to see if they engaged in unfair or deceptive business
practices. The FTC, in particular, has recently become much more aggressive in its probing of
organizations that have suffered a data breach.
We don’t know how the Securus breach happened yet—it’s much too early to know that kind of
detail and they have not made any public announcements with the specifics of the attack. That
being said, there has been an alarming trend among breached organizations to overstate the
complexity of their incident, while understating the impact. If this breach follows suit, things are
going to get a whole lot worse.
Based on authority given to the FTC under the Federal Trade Commission Act, we can logically
assume that Securus will be held accountable for advertising its “Secure Call Platform” in some
manner as untrue. The sad reality is that even a secure system can be compromised if even an
30 Cyber Warnings E-Magazine – December 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
