Reporters threatened after revealing security hole

Posted by Nick Farrell

Telecoms companies involved in a US government scheme to provide an affordable phone service to the poor, have threatened reporters who found a security hole in their Lifeline phone system with charges under the Computer Fraud and Abuse Act.

Scripps News reporters discovered 170,000 Lifeline phone customer records online that contained everything needed for identity theft. They asked for an interview with the COO of TerraCom and YourTel, which are the telcos who look after Lifeline, and were threatened with violating the Computer Fraud and Abuse Act.

Lifeline is a government program offering affordable phone service for low-income citizens. Last year the FCC insisted that Lifeline phone collecting more sensitive information from citizens. They are not supposed to retain copies of the sensitive information.

Scripps News "Googled" the phone companies TerraCom and YourTel America to discover 170,000 files online, all of which contained sensitive information that would make identity theft a breeze for thieves.

The Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms outfits threatened the hacks with violating the Computer Fraud and Abuse Act (CFAA).

Lee wrote a letter telling Scripps that the "intrusions and downloading" of sensitive records were associated with Scripps IP addresses. He warned that "the 'Scripps Hackers' have engaged in numerous violations of the Computer Fraud and Abuse Act by gaining unauthorised access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps."

The rest of the letter slammed the "Scripps Hackers" for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, and threating a law suit.

TerraCom posted a security breach notice that states, "As far as we can tell, the vast majority of applicant data files were accessed by the Scripps Howard News Service, and we are sorry that personal data of Lifeline applicants was accessed by the News Service and possibly by other unauthorised persons."

However the move appears to be a cover for the fact that both companies are in hot water with the FCC. The watchdog said that it is investigating and could fine them both up to $1.5 million for a single violation of privacy.

Scripps added that the Indiana attorney general's office "has launched an investigation into the release of TerraCom applicants' personal data. The Texas attorney general's office also is scrutinising the practices of TerraCom and YourTel.

But what is interesting is how a corporation can use the Computer Fraud and Abuse Act to try and cover up security cock-ups. This case was public, and Scripps did not back down, but how many other companies have managed to cover up their computer flaws with a scary letter to the editor from m'learned friend?