Full Report
Over on Risky Biz News, Catalin Cimpanu has a great write-up about how a Romanian prisoner hacked the country’s prison management platform. He writes: The incident took place in August and continued through October. From various reports in Romanian media and a statement released by the national penitentiary police union, the incident appears to have originated in the city of Dej, in Romania’s... Source
Analysis Summary
# Incident Report: Romanian Prison IT System Compromise by Inmate
## Executive Summary
A Romanian prisoner successfully hacked the National Penitentiary Association (ANP) prison management platform between August and October 2025. The inmate exploited kiosk and tablet access points to manipulate their sentence time, redeem work credits, and alter financial balances within the system. The incident resulted in a significant security breach within the Romanian correctional facilities' IT infrastructure before being discovered.
## Incident Details
- Discovery Date: Sometime after the incident began in August, confirmed by union action/reports in October 2025.
- Incident Date: August 2025 - October 2025
- Affected Organization: National Penitentiary Association (ANP), Romanian Prison System
- Sector: Government Sector (Corrections/Justice)
- Geography: Romania (Originating from Dej hospital prison complex)
## Timeline of Events
### Initial Access
- Date/Time: August 2025 (Start of continuous compromise)
- Vector: Exploitation of credentials or vulnerabilities on prison-issued tablets and kiosks located at the Dej hospital prison complex.
- Details: The prisoner gained access to an online platform managed by the ANP via these end-user systems.
### Lateral Movement
- Details: The attacker maintained access to the core prison management database/platform throughout the period, allowing them to execute targeted modifications across various inmate accounts and system settings.
### Data Exfiltration/Impact
- Details: The prisoner modified official records, specifically:
1. Reduced criminal sentences.
2. Illegitimately redeemed sentence reduction days for work performed.
3. Altered the financial accounts prisoners use for commissary purchases, sometimes adding zero or unauthorized funds to balances.
### Detection & Response
- Details: The breach was brought to light through investigations spurred by multiple media reports and a statement from the national penitentiary police union (SNPP). Specific response actions are pending further official details, but the threat actor was identified and actions reversed or contained.
## Attack Methodology
- Initial Access: Exploitation of physical endpoints (tablets/kiosks) provided to inmates, utilizing existing credentials or vulnerabilities specific to those devices to reach the central ANP platform.
- Persistence: Maintained access over several months (August to October) via the compromised user accounts or system access points.
- Privilege Escalation: Implied via the ability to modify sensitive administrative functions such as sentence length and financial control without triggering immediate alerts.
- Defense Evasion: The system failed to adequately segregate activities between legitimate user requests and unauthorized administrative changes.
- Credential Access: Not explicitly detailed, but access was gained via a username and password on the platform accessed through the kiosks.
- Discovery: Internal system monitoring appears to have been insufficient; discovery was alerted via external reports/union statement.
- Lateral Movement: Movement was contained within the scope of the prison management platform itself, affecting multiple inmate data records.
- Collection: Accessing and modifying transactional data (sentence time, work credits, financial balances).
- Exfiltration: N/A (The breaches were internal modifications rather than mass external data theft, though inmate PII was accessible).
- Impact: Unauthorized changes to judicial records and prison finances.
## Impact Assessment
- Financial: Alterations to inmate commissary account balances were reported, including adding an extra zero to some amounts.
- Data Breach: Sensitive administrative data related to inmate sentencing and financial standing was manipulated.
- Operational: Revealed a "major security breach" (**bresa de securitate majora**) in the IT systems managing Romanian penitentiaries, necessitating review and potential shutdown/audit of the kiosk/tablet interface.
- Reputational: Significant negative press regarding the security posture of the Romanian prison system.
## Indicators of Compromise
*(No specific IPs, domains, or file hashes were provided in the source text.)*
- Behavioral Indicators: Unauthorized modification of sentencing calculations, unusual activity on inmate digital account ledgers, and redemption of work credits without proper authorization.
## Response Actions
- Containment: The immediate focus would involve isolating or patching the compromised tablets/kiosks and reviewing all transactions performed during the August–October window.
- Eradication: Revoking breached credentials and potentially rebuilding access controls for the ANP platform endpoints.
- Recovery: Reverting unauthorized sentence reductions, correcting commissary balances, and auditing all affected inmate records.
## Lessons Learned
- Relying on shared or poorly segregated user access via kiosks and tablets presents an unacceptable risk vector when connected to core administrative databases.
- In-prison IT systems require robust segmentation and mandatory multi-factor authentication/strong access controls, even for inmate-facing applications.
- Internal auditing and anomaly detection controls around sensitive fields (like sentence duration and financial ledgers) must be aggressively implemented to catch unauthorized modifications quickly.
## Recommendations
- Immediately decommission or severely restrict the privileges of any tablet/kiosk interface that provides direct access to the ANP management platform until a complete security overhaul is completed.
- Mandate strong, non-shared account structures or deploy read-only access for inmates, segregating any transactional functions into highly controlled microservices.
- Implement continuous auditing on all fields related to sentence length, parole eligibility, and inmate funds, alerting security teams instantly upon modification.