Matt Anzur/Scripps Howard News Service
The private information Linda Mendez submitted to get discount cellphone service appeared on a publicly accessible website.
The private information Linda Mendez submitted to get discount cellphone service appeared on a publicly accessible website. Matt Anzur/Scripps Howard News Service
Sensitive personal information belonging to thousands of applicants to a government phone program was exposed to the public on the Internet, according to a new investigative report from Scripps Howard News Service.
The federal program is called Lifeline, and it reimburses phone companies for providing service to low-income Americans.
Scripps reporter Isaac Wolf says he was able to access more than 100,000 records from one of those private companies online. That includes Social Security numbers, birth dates, home addresses and even copies of nutrition assistance and welfare cards.
Wolf says the company, TerraCom, and its affiliate, YourTel America, have a lot of explaining to do about exactly how — and why — these records were accessible online.
"They have records that appear to go back well into last year — these types of photocopies, these scans of people's Social Security cards, drivers' licenses, food stamp cards. And it's not clear why they had them in the first place."
Carriers are allowed to request supporting personal documentation but are not supposed to retain them, according to Lifeline's administrators.
In a statement sent to NPR, TerraCom's Chief Operating Officer Dale Schmick says the company "deeply regrets" the data disclosure. "This is a very serious matter and, upon learning of the Scripps Howard breach, we immediately implemented security measures to prevent any future unauthorized access to applicant files by any means," he wrote. The company has also said it has notified federal and state regulators. The Indiana attorney general's office confirmed Monday that it would investigate the breach.
The company asserts that the personal data was only accessible to the reporter using sophisticated computer techniques. Wolf says everything he found was publicly accessible.
TerraCom's full statement follows:
Statement from Dale Schmick, Chief Operating Officer of TerraCom, and YourTel America:
"We deeply regret that the personal data of 343 Lifeline applicants were accessed by unidentified third parties or mistakenly made available through Internet searches. Some of this activity may have been the direct result of the unauthorized access of approximately 170,000 applicant personal data files by the Scripps Howard News Service through more sophisticated online searches.
"This is a very serious matter and, upon learning of the Scripps Howard breach, we immediately implemented security measures to prevent any future unauthorized access to applicant files by any means. Subsequent attempts by the news service to access applicant personal files have been blocked by TerraCom's enhanced security measures.
"We've established a toll-free number for applicants to contact us with questions (1-855-297-0243). Since Scripps Howard has assured us that they do not plan to publicly release the personal data that they possess through unauthorized access, we are providing credit reporting/identity theft assistance for those whose data was accessed by unidentified third parties other than the news service to help monitor against potential fraudulent activity on their banking and credit card accounts.
"We've notified federal and state regulators, and law enforcement, of this breach and are in ongoing discussions with them.
"Contrary to the claims by Scripps Howard that this information was all 'publicly posted data online' and tens of thousands of Lifeline applicants' personal data was available through 'simple Internet searches,' a digital forensics investigation by TerraCom has revealed that the news service used sophisticated computer techniques and non-public information to view and download the personal information of applicants.
"The personal data that was previously available through Internet searches was limited to the files of 270 applicants and we've subsequently taken action to eliminate any further public access to that data.
"The news service had to identify non-public directories in TerraCom's computer system and decipher sophisticated URL addresses that included sequences of 14 random numbers to download the 170,000 files they now have in their possession. It is unfortunate that Scripps Howard has remained silent about the full extent of its role in this incident and has omitted these facts in its ongoing reporting of this incident."