News service served with cease and desist after server access
The Scripps Howard News Service recently reported on a data leak it had found which exposed the sensitive information of up to 170,000 phone company customers who had applied for discounted phone lines. But instead of a statement from the data's owners, the authors got a cease and desist.
The data leak took place with mobile phone service provider TerraCom and its subsidiary, YourTel America. The companies had filed requests to participate in Lifeline, a US government programme to provide low cost telephone lines to low income households, unencrypted and on unsecured servers. Scripps News say a Google search for Terracom revealed a Lifeline application on the servers of a company called "Call Centers India Inc", who work under contract for Terracom and YourTel. Further searches discovered "scores" of additional applications which revealed names, dates of birth, tax information and social security numbers of the applicants.
Scripps News contacted the two companies before publishing its report and the data leak was subsequently closed. TerraCom informed applicants that Scripps news and possibly other unauthorised persons had accessed their personal data. So far though, no one appears to have come to harm.
The cease and desist from TerraCom and YourTel states that Scripps News had breached the Computer Fraud and Abuse Act (CFAA) because it had fraudulently gained access to confidential data which employees of the company would have then downloaded. The firms call on the news service to investigate the incident and, in particular, identify the persons they refer to as the "Scripps Hackers" so that they can mitigate potential dangers. According to the letter, the "Scripps Hackers" used "the 'Wget' program to search for and download the Companies confidential data". If Scripps News does not comply with the cease and desist letter, the companies say it could lead to civil and criminal consequences.
Scripps News defends itself in a response saying the employees had accessed the data for purely journalistic reasons and that no special computer skills were needed to do so, just a common search engine accessible to every internet user. The news service says it will, therefore, not be complying with the requests for information.
According to Huffington Post, TerraCom and YourTel's COO Dale Schmick has said they "accept responsibility for the lapse in security" and that 270 Lifeline applicants' details were available through public searching. But, Schmick maintains that Scripps used "sophisticated computer techniques and non-public information" to view other records, a claim which Scripps "categorically denies". The circumstances around the data leak are now being examined by the US States prosecutors Illinois, Indiana and Texas.