News Articles

This site contains over 2,000 news articles, legal briefs and publications related to for-profit companies that provide correctional services. Most of the content under the "Articles" tab below is from our Prison Legal News site. PLN, a monthly print publication, has been reporting on criminal justice-related issues, including prison privatization, since 1990. If you are seeking pleadings or court rulings in lawsuits and other legal proceedings involving private prison companies, search under the "Legal Briefs" tab. For reports, audits and other publications related to the private prison industry, search using the "Publications" tab.

For any type of search, click on the magnifying glass icon to enter one or more keywords, and you can refine your search criteria using "More search options." Note that searches for "CCA" and "Corrections Corporation of America" will return different results.

Ransomware Attack on GEO Group Exposes Sensitive Information

Loaded on April 1, 2021 by Matthew Clarke published in Prison Legal News April, 2021, page 55

Filed under: GEO Group/Wackenhut, Private Contractors. Location: United States of America.

by Matt Clarke

On November 3, 2020, the GEO Group, one of the largest private prison companies in the nation, revealed that it had suffered a ransomware attack in August of that year that exposed sensitive personal information of employees, immigrant detainees and prisoners.

GEO said it was sending data-breach notification letters to all affected individuals, but the company was unaware of any fraud or misuse of the information.

GEO owns or operates 123 facilities with a total of around 93,000 beds and about 23,000 employees in the U.S., U.K. and South Africa.

In a ransomware attack, criminal hackers penetrate a computer system and encrypt vital data. The system’s user is then offered the encryption key in exchange for payment, generally using Bitcoin or another cryptocurrency.

The ransomware attack on GEO compromised data for prisoners at South Bay Correctional and Rehabilitation Facility in Florida, a Pennsylvania youth facility and a now-closed facility in California, as well as employee data on two corporate servers.

The data include medical treatment information, which is private under federal law, and information that could be used in identity theft such as name, date of birth, and Social Security number. GEO worked with law enforcement and cybersecurity firms to investigate the attack.

In a document filed with the U.S. Securities and Exchange Commission, GEO said it was able to recover “critical operating data,” but did not explain whether this involved paying a ransom or the use of backup files. Also unexplained was why GEO waited 76 days to inform people that their data had been compromised.

Sources: eandt.thejet.org, dataprivacyandsecurityinsider.com