A “thank you” might be in order if you find a massive leak of a company’s sensitive customer records on the Internet and raise alarm so the problem can be fixed. But that’s not how it always goes down, as a team of investigative reporters for the Scripps News Service recently found out the hard way.
In a recent report, the Scripps journalists say they found through a basic Google search a gaping security hole exposing more than 170,000 records related to customers of and applicants for Lifeline, the federal program for low-income Americans that offers a discounted phone service. The information, involving people from at least 26 states, included Social Security numbers, scans of passports, driver’s licences, parole letters, food-stamp cards, tax records, home addresses, and financial accounts. Scripps reports that the records were “widely available online this spring after being collected for two phone carriers participating in the program: Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc.” A Scripps reporter first uncovered the records while searching for PDF files attached to the TerraCom website.
The data leak appears to have put hundreds of Lifeline customers at serious risk of identity theft and may constitute a violation of privacy and data protection laws. (Indiana’s attorney general is already reportedly probing the breach, and the FCC has commented that a single privacy violation could cost a company as much as $1.5 million.) Scripps says it notified the companies of the security hole and “within hours, [the records] no longer were publicly accessible.” But instead of thanking the journalists for flagging up the issue, Jonathan Lee, legal counsel for TerraCom and YourTel, sent an angry and threatening letter to Scripps, referring to “Scripps hackers” and accusing the reporters of “numerous violations of the Computer Fraud and Abuse Act.” In one bizarre passage, Lee even claims that it is Scripps, not the companies responsible for the data leak in the first place, that should expect to pay any fines:
Because the Scripps Hackers have put the Companies in the position of having to incur the costs of potentially complying with more than 20 state data breach notification laws, the Companies are likely to look to Scripps to reimburse them for those costs.
David Giles, Scripps’ deputy general counsel, responded to the accusation that the reporters “hacked” the information by calling on the companies to stop the “name calling and the legal posturing” and instead address the “apparent careless security practices” raised by the story. “Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote in a letter sent to TerraCom and YourTel’s lawyers earlier this month.
The Scripps case bears some resemblance to a separate similar incident involving Andrew “weev” Auernheimer, who was sentenced in March to 41 months in prison after he found a security flaw in AT&T’s public website and used it to harvest the email addresses of over 114,000 iPad users. Auernheimer passed the data to Gawker, and he was subsequently prosecuted under the Computer Fraud and Abuse Act. The feds accused Auernheimer of exploiting the security hole for personal gain to promote his security company. But Auernheimer’s supporters argue that his conviction illustrates the need to reform the “vague language, broad sweep, and heavy penalties” of the CFAA, which was also used in the controversial prosecution of Internet freedom activist Aaron Swartz, who committed suicide in January.
In an emailed statement Tuesday afternoon, Dale Schmick, CEO of TerraCom and YourTel, said the companies were in “ongoing discussions” with federal and state regulators and law enforcement regarding the incident. Schmick claimed that only a portion of the records—involving 270 Lifeline applicants—had been available through Internet searches and alleged that the Scripps reporters used “sophisticated computer techniques” to download some of the information.
Giles, Scripps’ deputy counsel, said in a letter that the search revealing the security hole “required no special skill and in no way ‘hacked’ or illegally accessed any server or database operated by TerraCom or any other company.”