DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

TerraCom notifies 150,000 Lifeline applicants after breach

Posted on May 16, 2013 by Dissent

Here’s a breach I didn’t see in the media but first learned of from the Wisconsin Office of Privacy Protection. According to that office, on April 26, 2013, TerraCom, a wireless learned of a security breach involving unauthorized access to personal data and downloaded files related to over 150,000 individuals. The data was stored on the computer servers of TerraCom’s IT contractor, Call Centers India, Inc. d/b/a VCare Corporation (“VCare”) and belonged to applicants seeking enrollment in the federal Lifeline telephone program administered by the Federal Communications Commission (FCC). Approximately 875 of the 150,000 are Wisconsin residents.

The data accessed included name, Social Security Number, date of birth, address, driver’s license Number, copies of tax information and other government forms that TerraCom is required by law to obtain and use in order to determine applicant eligibility for the Lifeline program.

TerraCom has initiated immediate corrective action to secure and protect compromised data files and further safeguard the personal data of applicants from future attacks by hackers.

TerraCom has mailed notice of the security breach to those persons whose records were individually accessed. Additionally, TerraCom will provide these applicants whose personal information was put at risk with instructions and the opportunity to enroll in a credit bureau monitoring service at no cost to the applicant.

A toll free number has been provided to assist applicants whose personal information was accessed about what they should do. (1-855-297-0243)

Those affected were mailed letters on May 14.

But there seems to be more to this story. A notice on TerraCom’s web site says (emphasis added below by me):

TerraCom, Inc. was recently the victim of a security breach that resulted in unauthorized access to some applicant’s personal data stored on our computer servers. We deeply regret that this incident occurred. We are informing individual applicants whose data, we believe, was most at risk to being accessed via the Internet. As far as we can tell, the vast majority of applicant data files were accessed by the Scripps Howard News Service, and we are sorry that personal data of Lifeline applicants was accessed by the News Service and possibly by other unauthorized persons. The information accessed included names, addresses, social security numbers, tax information and other government forms used by our company to determine applicant eligibility for the federal Lifeline program.

This is a very serious matter and we are actively investigating the full extent of any security breach in our computer systems. Additionally, we’ve taken steps to eliminate any potential release of personal data in the future.

Based on our ongoing investigation – being conducted in coordination with an independent digital forensics team – there appears to be no evidence to indicate that a malicious attack occurred on our computer systems, nor does it appear that any applicant has been injured as a result of the unauthorized accessing of personal data files by the news organization or any others.

What you can do:

Monitor your credit reports, bank and credit accounts for unauthorized activity and report anything questionable to the account issuer and credit bureaus.

Take advantage of online access to your account information so you don’t have to wait for the monthly statement to come in the mail.
If you learn that your Social Security Number has been compromised, immediately place a fraud alert on your three credit reports and then continue to monitor them.

We have established a toll-free number 1-855-297-0243 for applicants and customers to contact us with questions they may have. Our call center representatives are available to answer your questions and provide guidance on steps you can take to protect your financial information and guard against the potential for identify theft.

So what was Scripps Howard News Service doing accessing those files? It turns out they were investigating the breach. They report:

Customers of Lifeline, a federal program for low-income Americans, benefit by getting discounted phone service. But tens of thousands also face a liability: an increased risk of identity theft.

A Scripps News investigation has uncovered more than 170,000 records — listing sensitive information such as Social Security numbers, home addresses and financial accounts. These were widely available online this spring after being collected for two phone carriers participating in the program: Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc.

The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel. A reporter conducted another Google query of that site, and the search engine returned scores of applications. Scripps videotaped the process.

The reporter immediately shared the findings with editors, who assembled an editorial, technical and legal team to responsibly and legally gather and secure the records for reporting purposes.

The Scripps team used computer code to download the publicly available records, securing them both electronically and physically. To verify the documents’ authenticity, reporters contacted dozens of individuals named in them and spoke with privacy experts and others.

On April 26, Scripps notified Dale Schmick, chief operating officer for both TerraCom and YourTel, of the posted records. Within hours, they no longer were publicly accessible.

In a letter, a lawyer for both phone companies accused Scripps of accessing the records illegally. Scripps denied that allegation and offered to demonstrate how it found the documents online.

Schmick and the companies have declined Scripps’ repeated requests for an interview.

On Friday, TerraCom posted a notice on its website that the company “was recently a victim of a security breach that resulted in unauthorized access to some applicant’s (sic) personal data stored on our computer servers.”

Scripps will publish and broadcast stories from its investigation beginning this weekend. For a complete list of Scripps stations and newspapers, see http://www.scripps.com/brands.

So it seems that TerraCom’s statement might be a bit misleading and that what really happened is that they were notified by Scripps Howard of the breach/leak. But did Scripps Howard go too far in downloading so much data for their report? Is this any different than what others have gone to prison for? Obviously, they believe their conduct was lawful, and it may well be, but this is where we also need a shield law to protect those who discover and report on breaches.

NewsOK has more on the dispute and allegations.

Related posts:

  • Fraudulent signatures discovered on Lifeline phone applications – Scripps News investigation
  • Blaming the discoverer of a breach probably not a wise move
  • Are TerraCom and YourTel the poster children for how NOT to respond to a breach?
  • FCC jumps into data security; plans $10 million fine for carriers that breached consumer privacy
Category: Breach IncidentsBusiness SectorSubcontractorU.S.

Post navigation

← MS: Head Start records containing personal information stolen from Moss Point office
Medical worker stole patient identities →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.