Security Experts: Prison Phone System Data Breach Puts VoIP Security Into Spotlight

Security experts said the reports Wednesday of a major data breach at Securus Technologies, which provides a significant amount of phone services to prisons nationwide, raises privacy concerns and calls into question security around VoIP systems.

The data breach, which was first reported by The Intercept, compromised 70 million records across 37 states. The records include phone records as well as 14,000 phone recordings of likely confidential attorney-client conversations, the report said.

The report said the records extend from December 2011 to spring of 2014.

[Related: Open-Source Superstar, Former HP Cloud Exec Mickos Takes CEO Post At HackerOne]

Sponsored post

The data breach had privacy experts up in arms about what confidential information could now be exposed the public, possibly violating the attorney-client privileges of some inmates. From a technology perspective, security experts said the biggest implications as more details emerge about the cause and extent of the breach is that it throws into question the security of VoIP systems, used by many companies today.

"It's substantial," David McKeough, executive vice president of global field operations at Waltham, Mass.-based Digital Guardian, said. "You have to understand whether it was part of the program being used and whether you can leverage it in other [phone] systems. If you can leverage [the vulnerability] in other systems, it could wreak havoc."

Matt Johnson, CEO of Reisterstown, Md.-based Phalanx Secure (formerly known as Raven Data Technologies), said he doesn't think many users realize how many VoIP calls are being saved and how easy it is for that to happen. A breach like this one highlights that "just because you can save something doesn’t mean you should," Johnson said.

"It definitely has implications," Johnson said.

In the wake of the breach, Johnson said he will be taking a look at his client environments to evaluate if they are purposely or inadvertently saving similar call data, and evaluate whether that is the best course of action for the client.

"I probably will talk to them to make sure they are actually storing data in their VoIP system and if they need to store it," Johnson said. "My thoughts are: If there's no reason to keep it, then don't."

For those who do want to or need to store data, such as Securus Technologies, McKeough said they should evaluate data protection technologies as a "last line of system defense" in the event of a breach.

"It's become more evident every day that data protection is what's needed and compliance just isn’t enough," McKeough said. "You need a holistic approach to data security."