A prison inmate using the phone
A huge data breach of 70 million US inmate phone calls has revealed that a phone company recorded privileged attorney-client phone calls Netflix

A hacker has claimed a phone company in charge of providing phone services within US prisons has been secretly recording all phone calls made by prisoners to outsiders, including privileged conversations between inmates and their lawyers.

An anonymous hacker has breached the servers of Texas-based telecommunications firm Securus Technologies and stolen data relating to 70 million inmate phone calls originating from US prisons between December 2011 and sometime during the spring of 2014.

According to the Intercept, the hacker discovered some of the data collected broke the prisoners' constitutional rights, and they decided to upload it to the Intercept's anonymous SecureDrop whistleblower submissions server.

Securus Technologies claims its systems are able to monitor and record all phone and video conversations of those incarcerated and store the data securely in its Secure Call Platform. The firm works with both local and country government clients and promotes its solution as a powerful crime-solving tool that can produce recordings of phone conversations on demand accessible only to police investigators, prosecutors and corrections workers.

But this is not all – to offer a competitive advantage, the company also pays each prison a "site commission" is equivalent to 42% of the total revenue generated from inmate phone calls, according to research released by Prison Legal News.

14,000 lawyer-client phone calls illegally recorded

The data dump received by the Intercept included 70 million phone call records made to almost 1.3 million unique phone numbers by over 63,000 inmates.

However, what is more worrying is that while looking through the data, the Intercept discovered a total of 14,000 recorded conversations made between inmates and their lawyers. While prison inmates cannot expect much in terms of privacy when they are found guilty of a crime and incarcerated, the laws governing lawyer-client privilege remain sacrosanct.

In 2014 the Austin Lawyers Guild and a prisoner advocacy group brought a federal civil rights lawsuit against Securus, alleging lawyers' phone calls to their jailed clients were being recorded, procured, stored and listened to by prosecutors.

Securus insists calls to numbers known to belong to lawyers are not recorded and that if the company detects that such calls have been recorded, they are instantly deleted, but the hacker's data appears to proves otherwise.

According to the Intercept, the lawsuit is ongoing as the lawyers continue to argue that recording privileged conversations is essentially giving away their entire strategy away to the prosecutors, which means the trial is not fair, but there have been no recent updates. IBTimes UK has contacted the Austin Lawyers Guild and is waiting for a response. As for Securus, it appears it has not properly protected its data.

Data needs to be segmented and encrypted

Mark James, security specialist at IT security firm ESET, said: "The problem we have here is how the data was compromised. If it was encrypted and someone with the authority to view or access it in the first place was able to make copies and or move this data off site, then the question should be why was the data not segregated off and stored with multi-factor access or even digitally encoded for tracing purposes?

"If the data was not encrypted and it was accessed by someone who managed to compromise the system, then of course why it was not encrypted is the big question.

"Quite often in these cases the storing of this data is governed by general rules to protect data as a whole and sadly not all data is equal. Some data needs to be protected differently than others, the data is now 'in the wild' and nothing can be done about that. In these circumstances access to this data could have massive repercussions due to the nature of the content and it should have been better protected."

In a statement, Securus said: "Securus is contacting law enforcement agencies in the investigation into media reports that inmate call records were leaked online. Although this investigation is ongoing, we have seen no evidence that records were shared as a result of a technology breach or hack into our systems.

"Instead, at this preliminary stage, evidence suggests that an individual or individuals with authorised access to a limited set of records may have used that access to inappropriately share those records.

"It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties. Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls.

"Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance. We are coordinating with law enforcement and we will provide updates as this investigation progresses."

More about data breaches