Journalists Find Massive Data Security Lapse, Get Threats Instead of Thanks

The Citizen's Guide to the Future
May 21 2013 5:02 PM

Journalists Find Massive Data Security Lapse, Get Threats Instead of Thanks

153777276
A woman looks at her phone

Photo by MARTIN BERNETTI/AFP/GettyImages

A “thank you” might be in order if you find a massive leak of a company’s sensitive customer records on the Internet and raise alarm so the problem can be fixed. But that’s not how it always goes down, as a team of investigative reporters for the Scripps News Service recently found out the hard way.

Ryan Gallagher Ryan Gallagher

Ryan Gallagher is a journalist who reports on surveillance, security, and civil liberties.

In a recent report, the Scripps journalists say they found through a basic Google search a gaping security hole exposing more than 170,000 records related to customers of and applicants for Lifeline, the federal program for low-income Americans that offers a discounted phone service. The information, involving people from at least 26 states, included Social Security numbers, scans of passports, driver’s licences, parole letters, food-stamp cards, tax records, home addresses, and financial accounts. Scripps reports that the records were “widely available online this spring after being collected for two phone carriers participating in the program: Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc.” A Scripps reporter first uncovered the records while searching for PDF files attached to the TerraCom website.

Advertisement

The data leak appears to have put hundreds of Lifeline customers at serious risk of identity theft and may constitute a violation of privacy and data protection laws. (Indiana’s attorney general is already reportedly probing the breach, and the FCC has commented that a single privacy violation could cost a company as much as $1.5 million.) Scripps says it notified the companies of the security hole and “within hours, [the records] no longer were publicly accessible.” But instead of thanking the journalists for flagging up the issue, Jonathan Lee, legal counsel for TerraCom and YourTel, sent an angry and threatening letter to Scripps, referring to “Scripps hackers” and accusing the reporters of “numerous violations of the Computer Fraud and Abuse Act.” In one bizarre passage, Lee even claims that it is Scripps, not the companies responsible for the data leak in the first place, that should expect to pay any fines:

Because the Scripps Hackers have put the Companies in the position of having to incur the costs of potentially complying with more than 20 state data breach notification laws, the Companies are likely to look to Scripps to reimburse them for those costs.

David Giles, Scripps’ deputy general counsel, responded to the accusation that the reporters “hacked” the information by calling on the companies to stop the “name calling and the legal posturing” and instead address the “apparent careless security practices” raised by the story. “Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote in a letter sent to TerraCom and YourTel’s lawyers earlier this month.

The Scripps case bears some resemblance to a separate similar incident involving Andrew “weev” Auernheimer, who was sentenced in March to 41 months in prison after he found a security flaw in AT&T’s public website and used it to harvest the email addresses of over 114,000 iPad users. Auernheimer passed the data to Gawker, and he was subsequently prosecuted under the Computer Fraud and Abuse Act. The feds accused Auernheimer of exploiting the security hole for personal gain to promote his security company. But Auernheimer’s supporters argue that his conviction illustrates the need to reform the “vague language, broad sweep, and heavy penalties” of the CFAA, which was also used in the controversial prosecution of Internet freedom activist Aaron Swartz, who committed suicide in January.

In an emailed statement Tuesday afternoon, Dale Schmick, CEO of TerraCom and YourTel, said the companies were in “ongoing discussions” with federal and state regulators and law enforcement regarding the incident. Schmick claimed that only a portion of the records—involving 270 Lifeline applicants—had been available through Internet searches and alleged that the Scripps reporters used “sophisticated computer techniques” to download some of the information.

Giles, Scripps’ deputy counsel, said in a letter that the search revealing the security hole “required no special skill and in no way ‘hacked’ or illegally accessed any server or database operated by TerraCom or any other company.”

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

Politics

Blacks Don’t Have a Corporal Punishment Problem

Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology. 

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Lifetime Didn’t Think the Steubenville Rape Case Was Dramatic Enough

So they added a little self-immolation.

Two Damn Good, Very Different Movies About Soldiers Returning From War

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Students Aren’t Going to College Football Games as Much Anymore, and Schools Are Getting Worried

The Good Wife Is Cynical, Thrilling, and Grown-Up. It’s Also TV’s Best Drama.

  News & Politics
Weigel
Sept. 19 2014 9:15 PM Chris Christie, Better Than Ever
  Business
Moneybox
Sept. 19 2014 6:35 PM Pabst Blue Ribbon is Being Sold to the Russians, Was So Over Anyway
  Life
Atlas Obscura
Sept. 19 2014 1:10 PM Ascension Island: Home of Lava Fields, a False Forest, and the World's Worst Golf Course
  Double X
The XX Factor
Sept. 19 2014 3:07 PM Everything Is a "Women's Issue"
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
  Arts
Brow Beat
Sept. 19 2014 4:48 PM You Should Be Listening to Sbtrkt
  Technology
Future Tense
Sept. 19 2014 5:03 PM White House Chief Information Officer Will Run U.S. Ebola Response
  Health & Science
Medical Examiner
Sept. 19 2014 5:09 PM Did America Get Fat by Drinking Diet Soda?   A high-profile study points the finger at artificial sweeteners.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.