Ohio officials claim inmates at a state prison built their own computers, hid them in a ceiling and used the prison's internet to steal identities and downloaded hacking programs.
The Office of the Ohio Inspector General published a report Tuesday detailing the scheme, which the agency claims occurred at the 2,500-prisoner Marion Correctional Institution north of Columbus.
The agency was tipped off in July 2015, when the Ohio Department of Rehabilitation and Correction (ODRC) received an alert a computer had exceeded its daily internet usage threshold. The log-in credentials being used were for an employee who was not working that day.
Employees were able to trace the computer connection and found the computers, which were hidden on plywood boards above a ceiling panel in a prison training room, the report said.
The computers were connected to the ODRC computer network and were being used by an inmate to steal the identity of another inmate, in part so that he could submit credit card applications and commit tax fraud, the report said. The computers, the investigation found, also were used to illegally create security clearance passes for inmates to gain access to restricted areas and download hacking tools that could be used in network attacks.
Analysis revealed the computers had been used to make credit card applications, create passes for inmates to gain access to multiple areas within the prison and access inmate records such as disciplinary data, sentencing data and inmate locations. A “large hacker’s toolkit with numerous malicious tools for possible attacks” was detected on the computer’s hard drives.
The Ohio Inspector General found “lax inmate supervision” allowed inmates the ability to build computers from parts, transport them through several prison security checks, hide them in the ceiling, run cabling, and ultimately, connect the computers to the prison’s network.
Programs for inmates at MCI included one in which obsolete computers were disassembled and the parts returned to the contractor. In addition, the investigation determined inmates had unregulated access to computer hardware, software and accessories.
“Additionally, articles about making home-made drugs, plastics, explosives and credit cards were discovered,” the report said.
The inspector general’s report concluded that MCI employees failed to report suspected illegal activity, failed to supervise inmates and protect computer resources, failed to follow crime scene protection policies and failed to follow password security policy. All those areas should be addressed, the inspector general’s office said. It asked the director of ODRC to respond within 60 days to detail how changes will be implemented.
The report of investigation has been sent to the Marion County Prosecuting Attorney and the Ohio Ethics Commission for consideration.