In Dej, Romania, prisons use a system of kiosks that let inmates log into a Ministry of Justice platform. These terminals allow prisoners to check their sentence details and manage funds for small purchases inside the prison. But, like any kiosk system, it was only a matter of time before someone found a way to tamper with it.
That someone turned out to be Aurel, an inmate already serving time for his role in a counterfeiting operation. At some point, Aurel managed to obtain credentials belonging to the prison’s former director. How he acquired them is still unclear. Early reports from Romania’s Union of Prison Officers suggested that another inmate, who claimed affiliation with Anonymous, escaped the kiosk’s restricted environment simply by aggressively spamming the start menu. This supposedly allowed access to the underlying operating system, where the inmate discovered a shared printer service exposing the credentials.
No technical explanation has been confirmed. The union later stated they were unable to reproduce the exploit, leaving the credential theft a lingering mystery.
Regardless of the origin, the credentials granted Aurel administrator-level access to the prison platform used across nearly every penitentiary in Romania. His access truly came into play when he was transferred to a prison in southern Romania. From there, he could view the personal information of every inmate in the system. But Aurel had other priorities.
Logs show he spent considerable time browsing explicit content on The Hub, and he generously shared this access with other inmates. Altogether, prisoners accumulated more than 300 hours using the system, and most observers have a clear guess as to what most of that time involved.
Once the entertainment phase was over, Aurel turned to more serious data manipulation. He began altering prison account balances, effectively performing a crude version of quantitative easing. According to official reports, he did this by simply adding zeros to deposit entries. At least 15 inmates across multiple prisons benefited, with one prisoner ending up with an account balance equivalent to more than a million dollars.
Aurel also modified sentence-related data. Romanian prisons award “earning days,” reductions in sentence length granted for work or educational participation. With admin access, Aurel and others were able to reduce their own sentences by altering these records.
Yet the scheme lasted less than two months. Financial auditors eventually flagged inconsistencies, triggering a deeper investigation. The Ministry of Justice has since released statements attempting to downplay the incident, insisting it was not a data breach but a “temporary impairment of confidentiality and integrity of certain data sets,” a distinction critics find unconvincing.
The investigation is ongoing, but for Aurel, the consequences are already clear. He was nearing the end of a nine-year sentence and scheduled for release next month. Now, with new charges almost certain, that release date is expected to be pushed far into the future.
This incident highlights significant weaknesses in Romania’s relatively new prison IT system, which has already been criticized for bugs and security issues. And while the story has drawn international attention for its absurd and almost cinematic elements, it also raises serious concerns about digital security in critical government systems.
