Skip to Content

Prisoners ‘Hack’ $225,000 in Credits From Digital System – But the Victim Is the One Under Fire

Earlier this month, Idaho prison officials discovered that 364 prison inmates had exploited a vulnerability in tightly controlled tablets provided by a for-profit company, and added nearly $225,000 in credits to personal accounts used to pay for e-mail, video calls, music, and other digital services. The hack has triggered scrutiny of the practices of JPay, the servicer who sells the tablets to inmates – and charges them as much as 47 cents to send a single email.

According to the Associated Press, the widely-used exploit was uncovered by the Idaho Department of Corrections. The hack, according to an Idaho Department of Corrections spokesperson, “was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.”

Inmates who took advantage of the vulnerability have been disciplined by the prison system, which could worsen the conditions of their incarceration. The sister of one inmate told the AP that she fears his release could be delayed because of a disciplinary report resulting from the incident, though the inmate described receiving a credit by mistake, rather than intentionally. That may be plausible given the apparent simplicity of the exploit – inmates were able to rack up credits by adding items to their digital shopping carts, then removing them in a specific way. JPay, which had already negated more than $65,000 of erroneous credits by Friday, has also blocked involved inmates from downloading music or games.

Get Data Sheet, Fortune’s technology newsletter.

The inmates who added credit to their accounts were spread across five facilities, suggesting that the technique for the hack was widely shared by word of mouth. Prisoners had plenty of motivation, courtesy of the high prices JPay charges them for services that are nearly free for many Americans.

JPay has an effective monopoly on email and digital services in Idaho prisons, according to Wired, and has contracts with dozens of state prison systems. In addition to charging as much as 47 cents for email “stamps,” JPay charges inmates as much as $18 per hour for video calls, a stark contrast with largely free services like Skype. JPay sells music downloads for up to $2.50 per song – far above the cost of an iTunes download. JPay also provides bank-like money handling for inmates’ digital and commissary accounts, and fees to send money to an inmate’s account can be exorbitant – a deposit of less than $20 can cost $3.50.

These prices allow Jpay to provide services at no cost to taxpayers – in fact, according to the New York Times, law enforcement and government authorities often get a substantial cut of the revenue generated by JPay and similar services. Prison-services companies generally argue the high fees are necessary to ensure security, though the Idaho hack would seem to undermine that argument.

Dozens of lawsuits have been filed against prison service providers over their rates and fees, and the Idaho hack has ignited online debate over whether such fees are unjust and inhumane.

Many responses to the Idaho hack have even praised the inmates, some going so far as suggesting they should be offered jobs in cybersecurity.