Everyone understands today that online criminals are hungry for personal identifiable information (PII) – the data which feeds their appetite for identity theft and fraud.
And normally, a hacker will have to exploit a vulnerability, or discover that a corporation has been careless with its passwords, to grab the details of its customers from a web server.
But who needs to exploit a website vulnerability, or sloppy password security, if you’re interested in the clients of telephone companies like TerraCom and YourTel America?
The two firms made it really easy for any eager cybercriminal – leaving the personal details of 300,000 people on a publicly accessible folder, open to anybody on the Internet who knew how to perform a Google search.
TerraCom and YourTel America are part of a US government initiative called Lifeline, which subsidises telephone services for people with low incomes. To qualify for Lifeline, however, your telephone company will ask you to share your social security number, driver’s license, home address and other personal information.
That seems reasonable enough if you’re looking for a handout to get you a mobile telephone partly paid for by the government – after all, they want to prevent fraudulent claims. But you would certainly expect any organisation requesting such sensitive information to handle it securely, and ideally, destroyed as soon as it had passed verification.
What you definitely wouldn’t want to hear is that the companies had instead allowed their overseas data processor, India’s Vcare Corporation, to leave the private data lying around on an open web server – accessible just by typing the right terms into a search engine.
But that’s exactly what the FCC statement reveals happened:
In early 2013, an investigative reporter working for Scripps Howard News Service (Scripps) discovered that the Companies were storing PI and documents submitted by low income Lifeline service applicants on an unprotected Internet site. Between March 24, 2013, and April 26, 2013, Scripps accessed at least 128,066 confidential records and documents submitted by subscribers and applicants for the Companies’ services.Scripps located a consumer’s data file by conducting a simple Google search. Once it had located a single file, Scripps shortened that file’s URL and obtained access to the entire directory of applicant and subscriber data. On April 26, 2013, Scripps alerted the Companies that it had accessed their servers and had retrieved the PI of subscribers and applicants stored there.
Now, you would probably hope that the companies would thank the journalist for pointing out their shambolic security and rapidly rectify the issue.
Instead, the companies declined the opportunity for an interview and four days later, TerraCom and YourTel America wrote a “cease and desist” letter to the Scripps Howard News Service describing their reporters as “hackers” who had illegally accessed the data.
“The person or persons using the Scripps IP address have engaged in numerous violations of the Computer Fraud and Abuse Act, by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”
Talk about shooting the messenger…
Presumably the companies were less than happy with the resultant negative media coverage about how careless they had been with the personal data of LifeLine consumers.
There was worse to come.
According to the FCC’s announcement, officials at the companies failed to notify all potentially affected consumers, even after they learned that their private data could be accessed online, depriving consumers “of any opportunity to take steps to protect their personal information from misuse by Internet thieves.”
Accordingly, the FCC found that Terracom and YourTel America apparently willfully and repeatedly violated the law when they allegedly:
- Failed to properly protect the confidentiality of consumers’ personal information
- Failed to employ reasonable data security standards
- Misled consumers by claiming in privacy policies that they used appropriate technologies to protect data when they hadn’t
- Failed to fully inform consumers that a third-party had compromised their personal information
As a consequence, the FCC plans to punish the firms with a $10 million fine.
TerraCom and YourTelAmerica’s COO Dale Schmink said that the companies have since improved their data security, and taken measures to prevent future data breache.
Time and time again we hear about organisations making mistakes that make it too easy for hackers to steal information about their customers. But, as this case proves, it isn’t always a case of a software vulnerability not being patched or careless behaviour around passwords.
It can just as easily be someone in your company, or a third-party service provider that your organisation uses, showing an utter carelessness and lack of understanding of the seriousness of ensuring private information is either destroyed or held securely.
Doing web server security right isn’t just about ensuring you have securely encrypted sensitive data and kept systems updated. It’s also essential that you have the most elementary security in place: checking that nothing private is left in a publicly accessible directory, and open for anyone or the world’s search engines to stumble across.