Investigative reporters for the Scripps news service have been threatened with legal action after informing a telecommunications company that confidential data on tens of thousands of applicants was available on the Internet.
The reporters were said to be looking into companies participating in Lifeline, a federal program that provides discounted phone service for qualified low-income households, when they discovered more than 170,000 records from applicants in at least 26 states tied to Oklahoma City-based TerraCom Inc. and affiliate YourTel America Inc.
Those records included sensitive data such as Social Security numbers, birth dates and home addresses as well as supporting documentation, such as scanned copies of passports and driver’s license and financial accounts and tax records. A Scripps Howard News Service article reported that of those records, 44,000 were applications and another 127,00 were supporting documents to verify submissions. Indiana and Texas had the highest number of applicants now at risk.
The records, which date back to last September, were being stored on servers operated by contractor Call Centers India, which also does business as Vcare Corp. and operates mainly from New Delhi. Vcare was hired by TerraCom to verify an applicant’s eligibility and apparently stored the data in a publicly accessible area on its server that Google’s search engine indexed.
That’s how the reporting team in Washington, D.C., says it stumbled upon the records using a Google search and the freeware Wget. After contacting some of the victims to verify the accuracy of the unsecured data, the reporters contacted officials at TerraCom in late April. The company took down the records within a couple of hours. And then they threatened to take down the Scripps staff.
In an April 30 letter from Jonathan D. Lee to the E.W. Scripps Company counsel, the Washington, D.C., lawyer called the reporters “Scripps Hackers” and accused them of violating the Computer Fraud and Abuse Act by gaining unauthorized access to confidential data.
“In order to determine accurately the legal obligations created by the Scripps Hackers’ unauthorized access to this data, the Companies need to know whether the Scripps Hackers made any further disclosure, distribution or use of the data, or if the data was simply accessed and stored in the course of a journalistic effort,” Lee wrote. “To that end, I am also requesting that after determining the identity of the Scripps Hackers you determine as soon as possible what they have done with the Companies’ data that they digitally transferred to Scripps’ IP addresses.”
The letter came after reporter Isaac Wolf sent an e-mail to TerraCom and YourTel COO Dale Schmick requesting an interview about the Lifeline records discovered. Schmick forwarded the e-mail to Vcare, which immediately launched an investigation that found its servers had been accessed by at least April 24. The company doesn’t retain server access logs for more than 30 days.
“Much of the Scripps Hackers’ activity was automated,” the letter continued. “After March 25, they began using the ‘Wget’ program to search for and download the Companies’ confidential data. On April 4th, the Scripps Hackers expanded their activity and attempted to hack into additional Vcare servers and directories providing greater access, which would have allowed them to assume employee status, add users, create customer applications and assign inventory. They were denied access on each attempt. On the same day, however, the Scripps Hackers gained access to other server directories that contained documents demonstrating proof of address, proof of enrollment in public assistance programs, or proof of income.”
The Scripps reporters then began downloading those applications and proof files, according to Lee.
“If the purpose of the hacking was journalistic and the Scripps Hackers have not made and do not intend to make any further disclosure of the hacked data, then any financial or other risk for those applicants would be minimal and notification of the breach may not be necessary under the laws of about half of the states involved. However, the downloading of more than 120,000 files over a period of several weeks may not be consistent with a solely journalistic intent.”
The lawyer then asked that all evidence be preserved and that civil action against three named journalists is “highly likely.”
David M. Giles, VP and Deputy General Counsel for Scripps, responded to Lee’s letter a day later.
“Regardless of the flowery moniker you have used to characterize the bureau’s newsgathering activities, the bureau’s reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation. Rather, in the process of gathering newsworthy information, the bureau accessed – via a basic Internet search – personal and confidential information that apparently is available to anyone with a computer, an outlet and access to electricity. The search required no special skill and in no way ‘hacked’ or illegally accessed any server or database operated by TerraCom or any other company.”