TerraCom notifies 150,000 Lifeline applicants after breach
Here’s a breach I didn’t see in the media but first learned of from the Wisconsin Office of Privacy Protection. According to that office, on April 26, 2013, TerraCom, a wireless learned of a security breach involving unauthorized access to personal data and downloaded files related to over 150,000 individuals. The data was stored on the computer servers of TerraCom’s IT contractor, Call Centers India, Inc. d/b/a VCare Corporation (“VCare”) and belonged to applicants seeking enrollment in the federal Lifeline telephone program administered by the Federal Communications Commission (FCC). Approximately 875 of the 150,000 are Wisconsin residents.
The data accessed included name, Social Security Number, date of birth, address, driver’s license Number, copies of tax information and other government forms that TerraCom is required by law to obtain and use in order to determine applicant eligibility for the Lifeline program.
TerraCom has initiated immediate corrective action to secure and protect compromised data files and further safeguard the personal data of applicants from future attacks by hackers.
TerraCom has mailed notice of the security breach to those persons whose records were individually accessed. Additionally, TerraCom will provide these applicants whose personal information was put at risk with instructions and the opportunity to enroll in a credit bureau monitoring service at no cost to the applicant.
A toll free number has been provided to assist applicants whose personal information was accessed about what they should do. (1-855-297-0243)
Those affected were mailed letters on May 14.
But there seems to be more to this story. A notice on TerraCom’s web site says (emphasis added below by me):
TerraCom, Inc. was recently the victim of a security breach that resulted in unauthorized access to some applicant’s personal data stored on our computer servers. We deeply regret that this incident occurred. We are informing individual applicants whose data, we believe, was most at risk to being accessed via the Internet. As far as we can tell, the vast majority of applicant data files were accessed by the Scripps Howard News Service, and we are sorry that personal data of Lifeline applicants was accessed by the News Service and possibly by other unauthorized persons. The information accessed included names, addresses, social security numbers, tax information and other government forms used by our company to determine applicant eligibility for the federal Lifeline program.
This is a very serious matter and we are actively investigating the full extent of any security breach in our computer systems. Additionally, we’ve taken steps to eliminate any potential release of personal data in the future.
Based on our ongoing investigation – being conducted in coordination with an independent digital forensics team – there appears to be no evidence to indicate that a malicious attack occurred on our computer systems, nor does it appear that any applicant has been injured as a result of the unauthorized accessing of personal data files by the news organization or any others.
What you can do:
Monitor your credit reports, bank and credit accounts for unauthorized activity and report anything questionable to the account issuer and credit bureaus.
Take advantage of online access to your account information so you don’t have to wait for the monthly statement to come in the mail.
If you learn that your Social Security Number has been compromised, immediately place a fraud alert on your three credit reports and then continue to monitor them.
We have established a toll-free number 1-855-297-0243 for applicants and customers to contact us with questions they may have. Our call center representatives are available to answer your questions and provide guidance on steps you can take to protect your financial information and guard against the potential for identify theft.
So what was Scripps Howard News Service doing accessing those files? It turns out they were investigating the breach. They report:
Customers of Lifeline, a federal program for low-income Americans, benefit by getting discounted phone service. But tens of thousands also face a liability: an increased risk of identity theft.
A Scripps News investigation has uncovered more than 170,000 records — listing sensitive information such as Social Security numbers, home addresses and financial accounts. These were widely available online this spring after being collected for two phone carriers participating in the program: Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc.
The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel. A reporter conducted another Google query of that site, and the search engine returned scores of applications. Scripps videotaped the process.
The reporter immediately shared the findings with editors, who assembled an editorial, technical and legal team to responsibly and legally gather and secure the records for reporting purposes.
The Scripps team used computer code to download the publicly available records, securing them both electronically and physically. To verify the documents’ authenticity, reporters contacted dozens of individuals named in them and spoke with privacy experts and others.
On April 26, Scripps notified Dale Schmick, chief operating officer for both TerraCom and YourTel, of the posted records. Within hours, they no longer were publicly accessible.
In a letter, a lawyer for both phone companies accused Scripps of accessing the records illegally. Scripps denied that allegation and offered to demonstrate how it found the documents online.
Schmick and the companies have declined Scripps’ repeated requests for an interview.
On Friday, TerraCom posted a notice on its website that the company “was recently a victim of a security breach that resulted in unauthorized access to some applicant’s (sic) personal data stored on our computer servers.”
Scripps will publish and broadcast stories from its investigation beginning this weekend. For a complete list of Scripps stations and newspapers, see http://www.scripps.com/brands.
So it seems that TerraCom’s statement might be a bit misleading and that what really happened is that they were notified by Scripps Howard of the breach/leak. But did Scripps Howard go too far in downloading so much data for their report? Is this any different than what others have gone to prison for? Obviously, they believe their conduct was lawful, and it may well be, but this is where we also need a shield law to protect those who discover and report on breaches.
NewsOK has more on the dispute and allegations.