Skip to content ↓ | Skip to navigation ↓

TerraCom, YourTel AmericaEveryone understands today that online criminals are hungry for personal identifiable information (PII) – the data which feeds their appetite for identity theft and fraud.

And normally, a hacker will have to exploit a vulnerability, or discover that a corporation has been careless with its passwords, to grab the details of its customers from a web server.

But who needs to exploit a website vulnerability, or sloppy password security, if you’re interested in the clients of telephone companies like TerraCom and YourTel America?

The two firms made it really easy for any eager cybercriminal – leaving the personal details of 300,000 people on a publicly accessible folder, open to anybody on the Internet who knew how to perform a Google search.

TerraCom and YourTel America are part of a US government initiative called Lifeline, which subsidises telephone services for people with low incomes. To qualify for Lifeline, however, your telephone company will ask you to share your social security number, driver’s license, home address and other personal information.

That seems reasonable enough if you’re looking for a handout to get you a mobile telephone partly paid for by the government – after all, they want to prevent fraudulent claims. But you would certainly expect any organisation requesting such sensitive information to handle it securely, and ideally, destroyed as soon as it had passed verification.

Terracom website

What you definitely wouldn’t want to hear is that the companies had instead allowed their overseas data processor, India’s Vcare Corporation, to leave the private data lying around on an open web server – accessible just by typing the right terms into a search engine.

But that’s exactly what the FCC statement reveals happened:

In early 2013, an investigative reporter working for Scripps Howard News Service (Scripps) discovered that the Companies were storing PI and documents submitted by low income Lifeline service applicants on an unprotected Internet site. Between March 24, 2013, and April 26, 2013, Scripps accessed at least 128,066 confidential records and documents submitted by subscribers and applicants for the Companies’ services.Scripps located a consumer’s data file by conducting a simple Google search. Once it had located a single file, Scripps shortened that file’s URL and obtained access to the entire directory of applicant and subscriber data. On April 26, 2013, Scripps alerted the Companies that it had accessed their servers and had retrieved the PI of subscribers and applicants stored there.

Now, you would probably hope that the companies would thank the journalist for pointing out their shambolic security and rapidly rectify the issue.

Instead, the companies declined the opportunity for an interview and four days later, TerraCom and YourTel America wrote a “cease and desist” letter to the Scripps Howard News Service describing their reporters as “hackers” who had illegally accessed the data.

Lawyer's letter

“The person or persons using the Scripps IP address have engaged in numerous violations of the Computer Fraud and Abuse Act, by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”

Talk about shooting the messenger…

Presumably the companies were less than happy with the resultant negative media coverage about how careless they had been with the personal data of LifeLine consumers.

FCCThere was worse to come.

According to the FCC’s announcement, officials at the companies failed to notify all potentially affected consumers, even after they learned that their private data could be accessed online, depriving consumers “of any opportunity to take steps to protect their personal information from misuse by Internet thieves.”

Accordingly, the FCC found that Terracom and YourTel America apparently willfully and repeatedly violated the law when they allegedly:

  • Failed to properly protect the confidentiality of consumers’ personal information
  • Failed to employ reasonable data security standards
  • Misled consumers by claiming in privacy policies that they used appropriate technologies to protect data when they hadn’t
  • Failed to fully inform consumers that a third-party had compromised their personal information

As a consequence, the FCC plans to punish the firms with a $10 million fine.

TerraCom and YourTelAmerica’s COO Dale Schmink said that the companies have since improved their data security, and taken measures to prevent future data breache.

Time and time again we hear about organisations making mistakes that make it too easy for hackers to steal information about their customers. But, as this case proves, it isn’t always a case of a software vulnerability not being patched or careless behaviour around passwords.

It can just as easily be someone in your company, or a third-party service provider that your organisation uses, showing an utter carelessness and lack of understanding of the seriousness of ensuring private information is either destroyed or held securely.

Doing web server security right isn’t just about ensuring you have securely encrypted sensitive data and kept systems updated. It’s also essential that you have the most elementary security in place: checking that nothing private is left in a publicly accessible directory, and open for anyone or the world’s search engines to stumble across.

 

Related Articles:

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Hacking Point of Sale
  • Coyote

    Re:"But you would certainly expect any organisation requesting such sensitive information to handle it securely, and ideally, destroyed as soon as it had passed verification."

    I think it is more like: LIKE to BELIEVE they would. Of course, like to believe and reality are quite different from each other, sadly. As for the situation: shameful and then some. Yes, you would (here we go again) like to believe that they would appreciate the warning. But of course that isn't reality, always. And in this case it wasn't even unauthorised – it was public. I can maybe see if what is done is unauthorised (although better that they do it and inform or fix it themselves than do it and cause other damage or… but there is a fine line there and it is not legal either so makes it a moot point to those who understand the implications) but… shameful way to act with the risks of all those people. Shameful way to act even if it wasn't a risk to others and only themselves. Shameful in every single scenario, actually. And improving their policy is a bit too little and definitely too late. Granted it'd be worse to not improve it but this shouldn't have happened in the first place.