Convicts in an Ohio prison were using hidden computers for identity theft and other nefarious activities. A recent story out of Ohio will likely attract the attention of screenwriters.
Staff discovered two operable computers hidden in a ceiling in Marion Correctional Institution in Ohio.
The computers were being used by inmates to steal the identity of another inmate, including submitting credit card applications in his name; the identity thief also planned to commit tax fraud.
More on all of this in a bit, but first, there’s an additional frightening component to this story, one that we’ve yet to see a story pick up on even though it’s been covered widely. If you’re a business owner who is considering donating your used equipment, we suggest you think twice before doing so.
The inmates had access to old computers thanks to a program at the prison that employed offenders to disassemble out-of-date, unwanted computers. RET3, a non-profit agency that recycles old technology, had a contract with the prison for the program.
As such, the inmates were permitted to “remove the hard drives for RET3 computers slated for salvage and allowed the inmates to wipe the hard drives,” according to the State of Ohio Office of the Inspector General Report of Investigation filed April 11, 2017.
It’s clear from the report that’s not what was happening.
A prison employee “agreed with investigators it would be possible for those inmates to take a hard drive, access the information stored on the hard drive, copy the information or transfer the information to another drive and possibly use the confidential, personal information of the previous owner,” according to the report.
Stolen credentials, lax security
Back to the scandal. It was an email alert notifying the IT department that a computer operating on the network had “exceeded a daily internet usage threshold” on a day the user wasn’t scheduled to be working that ultimately led to the crime being uncovered. Turns out the inmate “shoulder surfed” the contractor in charge of the RET3 program and stole his credentials.
The agency’s IT department started digging and eventually followed cable from a networking switch to find the computers. They’d been hidden in the ceiling above a training room closet in an area off limits to unsupervised inmates. Inmates would access the secret computers via the prison’s inmate-authorized computers.
The contractor admitted during the investigation that he would sometimes leave inmates in the room unsupervised for as much as an entire afternoon.
According to the Inspector General’s report, this allowed inmates to take “two computers that should have been disassembled, placed hard drives into the computers, installed a network card, transported the computers across the institution for approximately 1,100 feet, through the security checkpoint without being searched or challenged by staff, accessed an elevator to the third floor and placed the two computers in the ceiling of the P3 training room.”
The inmates used the computers to “access DOTS to obtain confidential personal information to attain a fraudulent debit card account to file fraudulent tax returns. Additionally, through DOTS, inmates had unauthorized access to inmate records including disciplinary records, sentencing data, and inmate locations.”
Articles about “making homemade drugs, plastics and explosives, and credit cards were discovered,” according to the report.
In the end, five inmates implicated in the scandal were shipped off to other institutions, according to the report.
Are you covered for identity theft?