12/11/2015 4:58 AM AEDT | Updated 13/11/2015 3:04 AM AEDT

Hack Reveals Prison Phone Company Recorded Attorney-Client Calls

The breach leaked a total of over 70 million calls in 37 states.

Whenever a prisoner makes a phone call, that call is recorded. Prison phone giant Securus Technologies says on its website that it makes an exception for calls from inmates to their lawyers.

Yet The Intercept reported Wednesday that a massive hack, compromising over 70 million calls in 37 states over two and a half years, shows that Securus is not only recording attorney-client calls, but that the company's "secure" recording and storage systems are, in fact, porous.

By recording privileged calls with lawyers, Securus may have violated prisoners' constitutional rights.

“This may be the most massive breach of the attorney-client privilege in modern U.S. history. ... A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not,” the ACLU's David Fathi told The Intercept.

The Intercept's Jordan Smith and Micah Lee identified 14,000 calls that prisoners made to their attorneys between winter 2011 and spring 2014, but this figure only covers calls to publicly listed lawyers' phone numbers. Calls to unlisted numbers, such as cell phones, are not included, although they could still be covered by attorney-client privilege.

"In other words, the 14,000 attorney calls are potentially just a small subset of the attorney-client calls that were hacked," Smith and Lee wrote. Securus' phones, they said, "are supposed to be set up to allow certain phone numbers to be logged and flagged so that calls to those numbers are exempt from being recorded -- let alone stored."

Securus said in a statement Wednesday evening that it had contacted law enforcement regarding the leak.

Securus was also hacked in 2014, Smith and Lee reported. It appears that someone accessed three calls placed by Aaron Hernandez, the former New England Patriots player and convicted murderer. In an email thread discussing the 2014 hack, one Securus employee told another, "OMG........this is not good! ... The company will be called to task for this if someone got in there that shouldn’t have been.”

Lawyers are often responsible for giving the government their contact information so their phone numbers can be excluded from recording. It is then prison administrators' responsibility to add those number to the Securus system, and Securus' job to keep any recordings it makes secure.

On that point, at a minimum, The Intercept shows Securus failed. 

"In short," Smith and Lee said, "it turns out that Securus isn’t so secure."

This story has been updated to include information from Securus Technologies' statement.