Firstly, I will say that this blog piece contains spoilers, and if you haven’t watched the series yet I wouldn’t want to spoil it for you. Do yourself a favour and give it a watch – it’s a 3-part series following Mark Cobden, played by Sean Bean, as he navigates his way through prison life following a guilty verdict. One of the other central characters is Eric McNally a prison officer played by Stephen Graham. The entire cast are brilliant and not only make the show an absorbing watch but also give it the air of gritty realism.
One of the key plot lines involves the prison guard Eric whose son is unfortunately an inmate at another prison. This is clearly something that he has tried to keep quiet, and should not be common knowledge amongst the prison population. However, early in the series Eric is threatened by a prisoner who seems to know his son David is in prison – “You want him to be comfy don’t you? We know loads of lads down there”. Initially the guard Eric had denied having a son in prison, and said they weren’t close, but despite this the inmate knows exactly what prison he’s in and that Eric is due to visit him the next day.
Obviously, the story doesn’t go into how the criminal network had researched their target and found a vulnerability in the guard (I imagine for most people that would probably make quite boring television). However, whilst threatening Eric the inmate reveals that social media has played a part – after the guard has denied having a son called David the inmate says, “That’s strange that, ‘cus you mention him on Facebook – except there you say he’s working away, but he’s not is he boss… he’s in Low Wood prison”. So, it seems that social media has played a key part in the guard getting blackmailed.
There are two clear means here as to how the Facebook account could have played a part. Firstly, the images on Facebook of the guard and his son would have provided an ID photo for the gang. If they knew he was in the prison system and had contacts imprisoned in numerous facilities the image could have been sent around to key contacts to try and ascertain which prison he was in. Making the ID might have been much more difficult without images being available online, particularly any in which the guard and his son are seen together.
Secondly, and perhaps a little more farfetched – but not unfeasible for a large-scale criminal organisation, would be that the entire vulnerability was located via an extensive OSINT exercise. The value of having a prison guard coerced into smuggling items into prison is likely quite high, and perhaps worth spending the time trying to locate a vulnerability. If it was decided that this was a worthwhile endeavour, then having someone research all the staff within a prison along with their close relatives is a straightforward exercise. In this instance all they will have had to locate is the name of the guard’s son, and a news article detailing his arrest and subsequent trial, to set the wheels in motion.
This could be a needle in a haystack type scenario, but if you assume there are around 200 – 250 staff working in any one facility in the UK – it’s both a big enough sample to get lucky, and a small enough sample to work through to find that needle.
It is critical that organisations take the time to conduct vulnerability assessments on members of staff working in sensitive positions and that OSINT forms a large part of that. A good vulnerability assessment on the guard Eric would have stated that he had a son inside a prison facility, but OSINT would have established whether it was possible for anyone with a computer and an internet connection to find that out as well – raising the risk level severely.