The Hacker News Logo
Subscribe to Newsletter

Reporters legally threatened after revealing vulnerability that exposes sensitive data of 170,000 customers

For millions of low income families, the federal government's Lifeline program offers affordable phone service. But an online security lapse has exposed tens of thousands of them to an increased risk of identity theft, after their Social Security numbers, birth dates and other pieces of highly sensitive information were included in files posted publicly online.

Reporters with Scripps were investigating Lifeline, a government benefit-program that provides low-income Americans with discounted phone service, when they came across the sensitive data. They discovered 170,000 Lifeline phone customer records online through a basic Google search that contained everything needed for identity theft.
They asked for an interview with the COO of TerraCom and YourTel, which are the telcos who look after Lifeline,but they threatened reporters who found a security hole in their Lifeline phone system with charges under the Computer Fraud and Abuse Act. Then, the blame-the-messenger hacker accusations and mudslinging began.

The Scripps reporters videotaped the process showing how they found the documents. Attorney Jonathon Lee, acting for both telecoms outfits, threatened the hacks with violating the Computer Fraud and Abuse Act (CFAA).

Lee wrote a letter telling Scripps that the intrusions and downloading of sensitive records were associated with Scripps IP addresses.  The company asserts that the personal data was only accessible to the reporter using sophisticated computer techniques.

Jonathan Lee, “by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”

The Scripps case bears some resemblance to a separate similar incident involving Andrew weev Auernheimer, who was sentenced in March to 41 months in prison after he found a security flaw in AT&T’s public website and used it to harvest the email addresses of over 114,000 iPad users.

But what is interesting is how a corporation can use the Computer Fraud and Abuse Act to try and cover up security cock-ups.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.