What happens when a journalist going about his daily job discovers sensitive information sprawled open on the World Wide Web? Ask Isaac Wolf, a reporter for Scripps Howard News Service, who was conducting a standard Google search when he came across thousands of Social Security numbers and other private records in full public display.
Last week, Wolf and his colleagues published a story exposing two phone carriers, TerraCom, and its affiliate, YourTel America, that put thousands of customers at risk for identity theft by storing this private information out in the open.
When the reporters brought the issue to light, the companies claimed that the Scripps employees had gone beyond reporting and broken into the world of hacking.
Wolf set out to write a story on Lifeline, a federal program that aims to provide phone services to low-income citizens through affordable carriers. What he discovered was more than a simple government aid story. He found completed customer applications, which listed Social Security numbers, birthdays, home addresses, welfare cards and more.
“They have records that appear to go back well into last year — these types of photocopies, these scans of people’s Social Security cards, drivers’ licenses, food stamp cards,” Wolf said. “And it’s not clear why they had them in the first place.”
The two companies have some serious questions to answer. According to Lifeline, participating carriers are allowed to request this type of personal documentation but are not supposed to keep the records on file.
TerraCom’s Chief Operating Officer Dale Schmick released a statement to NPR:
“This is a very serious matter and, upon learning of the Scripps Howard breach, we immediately implemented security measures to prevent any future unauthorized access to applicant files by any means,” he remorsefully wrote.
The company said that the personal data was only accessible to the reporter using highly sophisticated computer methods, which is where the hacking accusations come from. Wolf defends himself saying everything was in public domain.
The two companies have threated to sue Scripps for the alleged hacking. They argue that Scripps reporters violated the Computer Fraud and Abuse Act which has previously yielded the prosecutions of free speech advocate Aaron Swartz. The law has been seriously criticized for being broad and overly disciplinary.
“The information was posted on the web, and anyone can visit a public website,” said George Washington University Law School professor Orin Kerr. However, “I’m not sure the DOJ would agree,” he added.
Information should always be kept safe, but sometimes this is not at the top of the agenda. Make sure your company’s data is secure by finding the right security professionals through Tiro Security, a leading provider of information security jobs Los Angeles. Contact us to find out about our executive search options.