Reporters threatened with CFAA, labeled hackers for finding security hole

Scripps News reporters discovered 170,000 Lifeline phone customer records online that contained everything needed for identity theft. After requesting an interview with the COO of TerraCom and YourTel, the reaction was kill-the-messenger style; the reporters were called “Scripps Hackers” and threatened with violating the Computer Fraud and Abuse Act.

Scripps News was looking into Lifeline, a government program offering affordable phone service for low-income citizens. Last year, the FCC “tightened” the rules for the program by requiring Lifeline phone carriers to document applicants’ eligibility, which led to collecting more sensitive information from citizens. But telecom carriers “must not retain copies” of the sensitive information used to validate eligibility. Yet a Scripps News investigative team claims it “Googled” the phone companies TerraCom Inc. and YourTel America Inc. to discover 170,000 files online, all of which contained sensitive information that would make identity theft a breeze for thieves.

A Scripps News investigation, Privacy on the Line, said a 170,000 unprotected records from at least 26 states include “44,000 application or certification forms and 127,000 supporting documents or ‘proof’ files, such as scans or photos of food-stamp cards, driver’s licenses, tax records, U.S. and foreign passports, pay stubs and parole letters.” The 44,000 applications came from residents of the following 18 states:  Washington, Nevada, Arizona, Texas, Oklahoma, Louisiana, Arkansas, Kansas, Missouri, Iowa, Illinois, Indiana, Wisconsin, West Virginia, Pennsylvania, Maryland, Rhode Island, and Maine. These applications list “potential customers’ names, signatures, birth dates, home addresses and partial or full Social Security numbers.”

A Scripps reporter asked (pdf) for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the “Scripps Hackers” with violating the Computer Fraud and Abuse Act (CFAA).

Lee wrote a letter informing Scripps that the “intrusions and downloading” of sensitive records were associated with Scripps IP addresses. Lee warned that “the ‘Scripps Hackers’ have engaged in numerous violations of the Computer Fraud and Abuse Act by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps.”

Lee added that the Scripps Hackers eventually used Wget to find and download “the Companies’ confidential files.” (Wget was the same tool used by Facebook’s Mark Zuckerberg in the film The Social Network to collect student photos from various Harvard University directories.) The rest of the letter pretty much blamed the “Scripps Hackers” for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, before warning that Scripps will be sued.

Additionally, TerraCom posted a security breach notice that states, “As far as we can tell, the vast majority of applicant data files were accessed by the Scripps Howard News Service, and we are sorry that personal data of Lifeline applicants was accessed by the News Service and possibly by other unauthorized persons.”

Washington attorney S. Jenell Trigg, who has led seminars on privacy laws, is asking questions about Vcare. The company has “a corporate footprint in Seattle, but primarily operates from a suburb of New Delhi, India.” Trigg asked, “Why post it? Why make it available online under any circumstances? How was this Indian company vetted? What investigation did the Americans do to check on them?”

The FCC admitted, “While we don’t generally confirm or deny the existence of a specific investigation, we are aware of this incident.” The email added “that a carrier could be fined up to $1.5 million for a single violation of privacy.”

Scripps added that the Indiana attorney general’s office “has launched an investigation into the release of TerraCom applicants’ personal data. The Texas attorney general’s office also is scrutinizing the practices of TerraCom and YourTel. Company officials declined numerous requests for an interview. But, in a written statement, Dale Schmick, chief operating officer of both companies, said they were ‘actively investigating the full extent of any security breach’.”

Like this? Here’s more posts:

• Journalist threatened, warned not to write about face-recognition at Statue of Liberty
• Google to Microsoft on Windows Phone 8 YouTube app blocking ads: Cease and desist
• Skype accounts easily hijacked via Skype Support, warns hacker
• Microsoft: What are people really asking for when they ask for a Start button?
• U.S. government is ‘biggest buyer’ of zero-day vulnerabilities, report claims
• Officials to investigate DHS ammunition purchases
• Is Microsoft power-snooping on Skype conversations?
• Former FBI agent: All phone calls recorded, no digital communication secure
• Microsoft patches Pwn2Own & IE8 ‘nuke’ critical holes
• Comedian Rob Schneider stars as Google Docs in Microsoft Office 365 videos
• Google’s patent for email snooping? Microsoft offers your boss email spying powers now
• Hacktivists take on ‘Olympus Has Fallen’ scare tactics style

Follow me on Twitter @PrivacyFanatic