Journalists Find Massive Data Security Lapse, Get Threats Instead of Thanks

Future Tense
The Citizen's Guide to the Future
May 21 2013 5:02 PM

Journalists Find Massive Data Security Lapse, Get Threats Instead of Thanks

153777276
A woman looks at her phone

Photo by MARTIN BERNETTI/AFP/GettyImages

A “thank you” might be in order if you find a massive leak of a company’s sensitive customer records on the Internet and raise alarm so the problem can be fixed. But that’s not how it always goes down, as a team of investigative reporters for the Scripps News Service recently found out the hard way.

Ryan Gallagher Ryan Gallagher

Ryan Gallagher is a journalist who reports on surveillance, security, and civil liberties.

In a recent report, the Scripps journalists say they found through a basic Google search a gaping security hole exposing more than 170,000 records related to customers of and applicants for Lifeline, the federal program for low-income Americans that offers a discounted phone service. The information, involving people from at least 26 states, included Social Security numbers, scans of passports, driver’s licences, parole letters, food-stamp cards, tax records, home addresses, and financial accounts. Scripps reports that the records were “widely available online this spring after being collected for two phone carriers participating in the program: Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc.” A Scripps reporter first uncovered the records while searching for PDF files attached to the TerraCom website.

Advertisement

The data leak appears to have put hundreds of Lifeline customers at serious risk of identity theft and may constitute a violation of privacy and data protection laws. (Indiana’s attorney general is already reportedly probing the breach, and the FCC has commented that a single privacy violation could cost a company as much as $1.5 million.) Scripps says it notified the companies of the security hole and “within hours, [the records] no longer were publicly accessible.” But instead of thanking the journalists for flagging up the issue, Jonathan Lee, legal counsel for TerraCom and YourTel, sent an angry and threatening letter to Scripps, referring to “Scripps hackers” and accusing the reporters of “numerous violations of the Computer Fraud and Abuse Act.” In one bizarre passage, Lee even claims that it is Scripps, not the companies responsible for the data leak in the first place, that should expect to pay any fines:

Because the Scripps Hackers have put the Companies in the position of having to incur the costs of potentially complying with more than 20 state data breach notification laws, the Companies are likely to look to Scripps to reimburse them for those costs.

David Giles, Scripps’ deputy general counsel, responded to the accusation that the reporters “hacked” the information by calling on the companies to stop the “name calling and the legal posturing” and instead address the “apparent careless security practices” raised by the story. “Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote in a letter sent to TerraCom and YourTel’s lawyers earlier this month.

The Scripps case bears some resemblance to a separate similar incident involving Andrew “weev” Auernheimer, who was sentenced in March to 41 months in prison after he found a security flaw in AT&T’s public website and used it to harvest the email addresses of over 114,000 iPad users. Auernheimer passed the data to Gawker, and he was subsequently prosecuted under the Computer Fraud and Abuse Act. The feds accused Auernheimer of exploiting the security hole for personal gain to promote his security company. But Auernheimer’s supporters argue that his conviction illustrates the need to reform the “vague language, broad sweep, and heavy penalties” of the CFAA, which was also used in the controversial prosecution of Internet freedom activist Aaron Swartz, who committed suicide in January.

In an emailed statement Tuesday afternoon, Dale Schmick, CEO of TerraCom and YourTel, said the companies were in “ongoing discussions” with federal and state regulators and law enforcement regarding the incident. Schmick claimed that only a portion of the records—involving 270 Lifeline applicants—had been available through Internet searches and alleged that the Scripps reporters used “sophisticated computer techniques” to download some of the information.

Giles, Scripps’ deputy counsel, said in a letter that the search revealing the security hole “required no special skill and in no way ‘hacked’ or illegally accessed any server or database operated by TerraCom or any other company.”

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

Culturebox

The Ebola Story

How our minds build narratives out of disaster.

The Budget Disaster That Completely Sabotaged the WHO’s Response to Ebola

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

The Shooting Tragedies That Forged Canada’s Gun Politics

A Highly Unscientific Ranking of Crazy-Old German Beers

Education

Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.

Culturebox

The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

Would You Trust Walmart to Provide Your Health Care? (You Should.)

  News & Politics
Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
  Business
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
  Life
Dear Prudence
Oct. 23 2014 6:00 AM Monster Kids from poorer neighborhoods keep coming to trick-or-treat in mine. Do I have to give them candy?
  Double X
The XX Factor
Oct. 22 2014 4:27 PM Three Ways Your Text Messages Change After You Get Married
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
  Arts
Culturebox
Oct. 22 2014 11:54 PM The Actual World “Mount Thoreau” and the naming of things in the wilderness.
  Technology
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Wild Things
Oct. 22 2014 2:42 PM Orcas, Via Drone, for the First Time Ever
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.