Call it security through absurdity: a pair of telecom firms have branded reporters for Scripps News as "hackers" after they discovered the personal data of over 170,000 customers -- including social security numbers and other identifying data that could be used for identity theft -- sitting on a publicly accessible server.
While the reporters claim to have discovered the data with a simple Google search, the firms' lawyer claims they used "automated" means to gain access to the company's confidential data and that in doing so the reporters violated the Computer Fraud and Abuse Act with their l33t hacker skills.
[Html##<p><a href="http://arstechnica.com/security/2013/05/reporters-use-google-find-breach-get-branded-as-hackers/">
<span class="art-img"><img style="float: right;" src="http://cdni.wired.co.uk/138x138/a_c/ars.png" alt="Ars Technica" /></span></a></p>##KeepInline]The files were records of applicants for the Federal Communications Commission's (FCC) Lifeline subsidised mobile phone programme for low-income consumers. The applicants' information was collected for the telecom providers YourTel and TerraCom by Vcare, an India-based call centre service contracted to verify applicants' eligibility. To qualify for the programme, customers need to submit proof that they are enrolled in a federal or state assistance programme such as Supplemental Security Income, food stamp programmes, and the federally-funded free school lunch programme.
Vcare and the telecom providers are explicitly required to not retain this data under the regulations of the FCC programme.
However, the data was retained on Vcare's servers and posted to an open file-sharing area -- and apparently indexed by Google's search engine in the process.
Scripps News' Isaac Wolf contacted the chief operating officer of TerraCom and YourTel for an interview. The two companies are separate legal entities but are substantially owned by the same people and, as the company's attorney put it, "share some key management employees". In an email to TerraCom and YourTel COO Dale Schmick, Wolf informed Schmick that he had "stumbled across numerous Lifeline applications which are posted freely online".
However, Vcare and the two telecom companies assert that the reporters "hacked" their way into the data using "automated" methods to access the data. And what was this malicious hacking tool that penetrated the security of Vcare's servers? In a letter sent to Scripps News by Jonathan Lee, counsel for both of the cell carriers, Lee said that Vcare's research had shown that the reporters were "using the 'Wget' program to search for and download the Companies' confidential data". GNU Wget is a free and open source tool used for batch downloads over HTTP and FTP.
Lee claimed Vcare's investigation found the files were bulk-downloaded via two Scripps IP addresses.
Lee's letter demanded that Scripps immediately identify the "Scripps Hackers" and preserve any evidence of downloaded data, "as civil litigation is highly likely". He stressed that the companies' intent is to discover the extent of the breach and determine if the reporters were just accessing the data for journalistic reasons -- in which case, they would not have to report the exposure as a data breach.
This story originally appeared on ars technica
This article was originally published by WIRED UK
