The news just got worse for more than 300,000 low income Americans exposed to the risk of identity theft last year when two telecom companies posted their personal information online. The Federal Communications Commission says some of those files were accessed through several foreign countries considered to be centers for cybercrime, including China and Russia.
Customers had applied for Lifeline, a federally-subsidized discount phone service for low-income Americans, entrusting their Social Security and other private information to Oklahoma-City based TerraCom Inc., and its Kansas City affiliate, YourTel America Inc.
The FCC declined to release the number of records that were viewed from overseas, citing a confidentiality agreement with the companies. Last week the agency announced a $10 million fine against the two firms for privacy violations. It is the largest fine imposed by the FCC for a privacy infraction and the only one ever issued for a data breach.
“The Commission cannot – and will not – stand idly by when a service provider’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC Chairman Tom Wheeler said in a statement.
The FCC is unaware of any related identity theft complaints so far, an agency spokesman said.
The two companies, which share management and ownership, notified only 35,129 customers out of the 305,000 who were exposed, or 11.5 percent, the FCC says.
The failure to reach out to all affected customers was “unjust and unreasonable because it left consumers ignorant about the risks of identity theft,” according to the FCC findings.
It also noted the companies’ “evolving story” in reporting how many customers were affected as the problems unfolded. In June 2013, they told the FCC that records of only 343 people had been accessed. Five months later, they put the number at just over 128,000. Ultimately, the FCC said, the true tally was 305,000.
Based on that figure, the FCC said it could have imposed a far higher fine – an amount “approaching $9 billion.”
The companies together received nearly $90 million from Lifeline funds in 2012. Both rely heavily on the program for revenue, with TerraCom claiming it was one of the first companies to tap Lifeline “to help people afford real wireless phone service.”
An official representing the two companies declined on Tuesday to discuss the records accessed from overseas or the companies’ notifications to customers.
“We fully complied with state laws regarding notification of affected consumers,” Dale Schmick, chief operating officer for both firms, said in a statement. “TerraCom is fully committed to protecting the personal data of Lifeline applicants and has rigorous privacy safeguards in place to prevent such data from public disclosure.”
The FCC reported that at least some of the information had been viewed from computers in China, Russia, the Ukraine, Poland and Norway. When questioned by the FCC about the overseas activity, the companies downplayed the threat and said it might be TerraCom staffers accessing records via those countries, according to the agency’s report.
“We do not find the companies’ explanations credible,” the FCC responded in its findings.
Scripps News identified the data breach early last year when a reporter’s Google search revealed the information on a public site and wrote about it. While many other security breaches – think Home Depot or JP Morgan – show the fingerprints of sophisticated cybercrooks, the TerraCom case by all indications appears to be the result of a simple blunder. The FCC noted numerous missteps, including a failure by TerraCom to check the IT vendor’s work and ensure the sensitive information was secure.
The agency disputed TerraCom’s assurances in May 2013 that it had secured the data several weeks after the problem became news. More than a year later, FCC Enforcement Bureau staff was able to locate and access two applications with Social Security numbers freely available on the web.
“The applications remained available to anyone using the Internet as late as June 30, 2014,” the FCC reported.
Scripps national investigative reporter Isaac Wolf can be reached at: firstname.lastname@example.org. Also, if you want to keep up with the latest DecodeDC stories and podcasts? Sign up for our weekly newsletter at decodedc.com/newsletter.