Reporters use Google, find breach, get branded as “hackers”
Scripps reporters uncover mishandling of customer data; companies threaten to sue.
by Sean Gallagher - May 21 2013, 11:15pm SAST
Call it security through absurdity: a pair of telecom firms have branded reporters for Scripps News as "hackers" after they discovered the personal data of over 170,000 customers—including social security numbers and other identifying data that could be used for identity theft—sitting on a publicly accessible server. While the reporters claim to have discovered the data with a simple Google search, the firms' lawyer claims they used "automated" means to gain access to the company's confidential data and that in doing so the reporters violated the Computer Fraud and Abuse Act with their leet hacker skills.
The files were records of applicants for the Federal Communications Commission's (FCC) Lifeline subsidized cell phone program for low-income consumers. The applicants' information was collected for the telecom providers YourTel and TerraCom by Vcare, an India-based call center service contracted to verify applicants' eligibility. To qualify for the program, customers need to submit proof that they are enrolled in a federal or state assistance program such as Supplemental Security Income, food stamp programs, and the federally funded free school lunch program.
Vcare and the telecom providers are explicitly required to not retain this data under the regulations of the FCC program. However, the data was retained on Vcare's servers and posted to an open file-sharing area—and apparently indexed by Google's search engine in the process.
Scripps News' Isaac Wolf contacted the chief operating officer of TerraCom and YourTel for an interview. The two companies are separate legal entities but are substantially owned by the same people and, as the company's attorney put it, "share some key management employees." In an e-mail to TerraCom and YourTel COO Dale Schmick, Wolf informed Schmick that he had "stumbled across numerous Lifeline applications… which are posted freely online."
However, Vcare and the two telecom companies assert that the reporters "hacked" their way into the data using "automated" methods to access the data. And what was this malicious hacking tool that penetrated the security of Vcare's servers? In a letter sent to Scripps News by Jonathan D. Lee, counsel for both of the cell carriers, Lee said that Vcare's research had shown that the reporters were "using the 'Wget' program to search for and download the Companies' confidential data." GNU Wget is a free and open source tool used for batch downloads over HTTP and FTP. Lee claimed Vcare's investigation found the files were bulk-downloaded via two Scripps IP addresses.
Lee's letter demanded that Scripps immediately identify the "Scripps Hackers" and preserve any evidence of downloaded data, "as civil litigation is highly likely." He stressed that the companies' intent is to discover the extent of the breach and determine if the reporters were just accessing the data for journalistic reasons—in which case, they would not have to report the exposure as a data breach.