Sensitive personal information belonging to thousands of applicants to a government phone program was exposed to the public on the Internet, according to a new investigative report from Scripps Howard News Service.
The federal program is called Lifeline, and it reimburses phone companies for providing service to low-income Americans.
Scripps reporter Isaac Wolf says he was able to access more than 100,000 records from one of those private companies online. That includes Social Security numbers, birth dates, home addresses and even copies of nutrition assistance and welfare cards.
Wolf says the company, TerraCom, and its affiliate, YourTel America, have a lot of explaining to do about exactly how — and why — these records were accessible online.
"They have records that appear to go back well into last year — these types of photocopies, these scans of people's Social Security cards, drivers' licenses, food stamp cards. And it's not clear why they had them in the first place."
Carriers are allowed to request supporting personal documentation but are not supposed to retain them, according to Lifeline's administrators.
In a statement sent to NPR, TerraCom's Chief Operating Officer Dale Schmick says the company "deeply regrets" the data disclosure. "This is a very serious matter and, upon learning of the Scripps Howard breach, we immediately implemented security measures to prevent any future unauthorized access to applicant files by any means," he wrote. The company has also said it has notified federal and state regulators. The Indiana attorney general's office confirmed Monday that it would investigate the breach.
The company asserts that the personal data was only accessible to the reporter using sophisticated computer techniques. Wolf says everything he found was publicly accessible.
TerraCom's full statement follows:
Statement from Dale Schmick, Chief Operating Officer of TerraCom, and YourTel America:
"We deeply regret that the personal data of 343 Lifeline applicants were accessed by unidentified third parties or mistakenly made available through Internet searches. Some of this activity may have been the direct result of the unauthorized access of approximately 170,000 applicant personal data files by the Scripps Howard News Service through more sophisticated online searches.
"This is a very serious matter and, upon learning of the Scripps Howard breach, we immediately implemented security measures to prevent any future unauthorized access to applicant files by any means. Subsequent attempts by the news service to access applicant personal files have been blocked by TerraCom's enhanced security measures.
"We've established a toll-free number for applicants to contact us with questions (1-855-297-0243). Since Scripps Howard has assured us that they do not plan to publicly release the personal data that they possess through unauthorized access, we are providing credit reporting/identity theft assistance for those whose data was accessed by unidentified third parties other than the news service to help monitor against potential fraudulent activity on their banking and credit card accounts.
"We've notified federal and state regulators, and law enforcement, of this breach and are in ongoing discussions with them.
"Contrary to the claims by Scripps Howard that this information was all 'publicly posted data online' and tens of thousands of Lifeline applicants' personal data was available through 'simple Internet searches,' a digital forensics investigation by TerraCom has revealed that the news service used sophisticated computer techniques and non-public information to view and download the personal information of applicants.
"The personal data that was previously available through Internet searches was limited to the files of 270 applicants and we've subsequently taken action to eliminate any further public access to that data.
"The news service had to identify non-public directories in TerraCom's computer system and decipher sophisticated URL addresses that included sequences of 14 random numbers to download the 170,000 files they now have in their possession. It is unfortunate that Scripps Howard has remained silent about the full extent of its role in this incident and has omitted these facts in its ongoing reporting of this incident."
MICHEL MARTIN, HOST:
I'm Michel Martin, and this is TELL ME MORE from NPR News. Coming up, you've probably heard that the stock market is seeing record highs, but there's also a new poll that shows that fewer Americans are participating. We'll try to find out why, in just a few minutes.
But first, we want to tell you about a major data breach affecting thousands of participants of a major government program. The program is called Lifeline; it reimburses phone companies for providing service to low-income Americans.
A new investigation found detailed personal information from one of those private companies available online. That includes the Social Security numbers, birth dates, home addresses, even copies of nutrition assistance and welfare cards, of more than 100,000 applicants.
Isaac Wolf is a national reporter for Scripps Howard News Service. He led the investigation, and he's with us now to tell us more. Welcome. Thank you for joining us.
ISAAC WOLF: Thank you so much for having me.
MARTIN: Tell us just a little bit about the Lifeline program, if you would. How did it start? Who is it for?
WOLF: Sure. The Lifeline program actually dates back to 1985, during the Reagan administration, and it was created to make sure that phone service was accessible to the poor, the needy. It's continued for just about 30 years; and it was expanded in 2005 to include cellphone service. And this has created a lot of problems. There have been a lot of concerns toward waste, fraud and abuse. You've heard stories over the past few years of people getting multiple phones, phone carriers enrolling folks who maybe were dead or didn't live at those addresses because of course, the phone companies are making money per individual that they have signed up for the service.
MARTIN: So how did you get into this investigation? I mean, were you looking for something else, or had you gotten a tip or something that...
WOLF: No. There was...
MARTIN: ...this kind of personal information was available online?
WOLF: No, no. Nothing of the sort. A couple other reporters and I at Scripps were just looking into this program; you know, just looking up what was going on. There's been many new rules that have come down the pike, and we just wanted to see what was going on there. And over the course of doing some Internet searches earlier this spring, we stumbled across about 170,000 personal records that were posted online, and those involve two companies that are participating carriers within this program. It's TerraCom Inc. and its affiliate, YourTel America.
MARTIN: And for people who might not understand why this is a problem, why is this a problem that people's Social Security numbers and birth dates and addresses - and all of that stuff, was so readily available?
WOLF: Well, your Social Security number is really the most important sensitive piece of information about yourself that can be used by identity thieves to open accounts in your name, to pass themselves off as you. Social Security numbers, we know, also are used by people who aren't you, to get jobs.
MARTIN: So it's basically an open door to identity theft. So as far as you know, how did this happen?
WOLF: You know, TerraCom, the parent company behind this, has not given us a straight answer. We are still trying to understand what led these records to be posted publicly online.
MARTIN: Now, we reached out to TerraCom and its affiliate, YourTel America, which are the companies that you say were responsible for the breach. You said that they wouldn't give you an interview. They didn't give us an interview either, but they did issue a statement, and TerraCom says that the company deeply regrets, in quotes, that this information was accessed. It says it has implemented security measures and notified federal and state regulators. It says that that information has now been taken offline.
But they also say that you did not just use simple Internet searches. In their statement they quote that a digital forensics investigation by TerraCom has revealed that the news service used sophisticated computer techniques and non-public information to view and download the personal information of applicants. And your response to that is?
WOLF: My response to that is everything that we did and everything that we looked at was publicly accessible. We stumbled across these records through a Google search. We've posted online video of how we accessed these records and we have also written about how we accessed these records. We've asked the company to sit down with us. We've told them that we would show them exactly how we accessed these records, and they have refused for nearly a month our sit-down interview requests.
And, frankly, I would just say, you know, if their story really does hold up, which it doesn't, then why aren't they here answering questions? They're not.
MARTIN: We're talking with Isaac Wolf of Scripps Howard News Service and we're talking about his reporting. He and his team found thousands of applications with detailed personal information posted online for participants in a government program to provide phone service for low income Americans.
You also talked to some of the participants in the program, people whose data was accessed. What did they say about this? Did they have any idea?
WOLF: No. They didn't have any idea. They were shocked. You know, I spoke with one woman, Linda Mendez(ph), in San Antonio. She works the night shift cleaning a gym and she uses her Lifeline cell phone, her TerraCom cell phone, to call, check in on her husband and four kids, make sure that they've done their homework, that they're ready for bed. She also uses her phone to coordinate appointments for her kids, including one of her daughters who has Down syndrome, and this is a stumbling block for her. I would just also add that prior to the TerraCom information release, her family has experienced identity theft. Her husband has had his Social Security number misused by others over the past several years, so this is something that people really get.
And I would just also add that this program, these applications, are for folks who are among the most vulnerable. They are the poorest. They oftentimes have disabilities, and so you or I - you know, it might be an inconvenience for us to have to spend the dozens of hours calling credit reporting agencies and banks, but we're talking about folks who are working the overnight shift or, you know, maybe they just don't have the wherewithal to fight this and they're the ones who've been exposed here.
MARTIN: Did your reporting indicate any hypothesis of how this could have happened?
WOLF: I can't speculate on behalf of TerraCom and I would just also add that the records were being held by a third party contractor, an Indian company called Call Centers India. We've reached out to them for comment; they also have not responded, but I would just say your question is a fantastic one. It's the top of the list of things that we're waiting to hear back from. There's a couple other questions that we really think that Linda Mendez and others need answers to, I would say.
The second question that others need answers to is: Why did TerraCom have these records in the first place? As we report, the Federal Communications Commission actually forbids TerraCom and other companies from keeping copies of food stamp cards, drivers' licenses, of pieces of proof that these applicants are eligible. Well, the vast majority of the records that we found were precisely these types of scans, iPhone camera shots, so and so forth. Why'd they have them? It's not clear.
MARTIN: So basically they're allowed to have certain information in order to be sure that the applicant is qualified, but once the applicant has been qualified, they're not supposed to keep this stuff?
WOLF: Well, according to the regulations, the companies are not supposed to retain these records. Exactly what that means is unclear. We've reached out to the FCC for an explanation; they haven't given us one. But what we can say is that many of these pieces of evidence date back to last year, so whether or not these folks were approved or still in some sort of limbo or they've been rejected, they have records that appear to go back well into last year. You know, these types of photocopies, these scans of people's Social Security cards, drivers' licenses, food stamp cards, and it's not really clear why they had them in the first place.
MARTIN: Final question. Is there any broader lesson here that you think we all need to take note of?
WOLF: Well, our reporting doesn't only look at these release of personal records from TerraCom. We actually look at some other privacy issues associated with the Lifeline program, including a database that's being built out through the FCC and it's going to include personal information from social welfare programs across the country; for many different social welfare programs there's concerns there about privacy issues.
MARTIN: Isaac Wolf is a national reporter for Scripps Howard News Service. He was kind enough to join us here in our Washington, D.C. studios. Isaac Wolf, thank you so much for joining us.
WOLF: Sure. It's been my pleasure.
MARTIN: To read Isaac Wolf's full story and then the full statement from TerraCom, just visit our website. Go to NPR.org/TellMeMore. Transcript provided by NPR, Copyright NPR.