Reporters Find Exposed Personal Data Via Google, Threatened With CFAA Charges
from the sounds-familiar dept
In a story that sounds mighty similar to the Andrew “weev” Aurenheimer situation, two reporters from the Scripps News service have been told that they may be hit with Computer Fraud and Abuse Act (CFAA) charges after a Google search they did turned up personal data on 170,000 customers that two telcos left exposed. At issue are low-income customers of YourTel and TerraCom, who provide service for the FCC’s Lifeline, a phone service for people who are enrolled in state or federal assistance programs. Apparently, the real issue was a company called Vcare, which the two telcos outsourced certain services to. The Scripps reporters noted that they did nothing more than a Google search:
The unprotected TerraCom and YourTel records came to light through the simplest of tools: a reporter’s Google search of TerraCom.
The records include 44,000 application or certification forms and 127,000 supporting documents or “proof” files, such as scans or photos of food-stamp cards, driver’s licenses, tax records, U.S. and foreign passports, pay stubs and parole letters. Taken together, the records expose residents of at least 26 states.
The application records, drawn from 18 of those states and generally dated from last September through November, list potential customers’ names, signatures, birth dates, home addresses and partial or full Social Security numbers. The proof files, from last September through April, include residents of at least eight remaining states.
Of course, rather than be thankful to the reporters for letting them know about a huge security lapse, or be apologetic for revealing all sorts of key data on their customers, they decided to sue.
However, Vcare and the two telecom companies assert that the reporters “hacked” their way into the data using “automated” methods to access the data. And what was this malicious hacking tool that penetrated the security of Vcare’s servers? In a letter sent to Scripps News by Jonathan D. Lee, counsel for both of the cell carriers, Lee said that Vcare’s research had shown that the reporters were “using the ‘Wget’ program to search for and download the Companies’ confidential data.” GNU Wget is a free and open source tool used for batch downloads over HTTP and FTP. Lee claimed Vcare’s investigation found the files were bulk-downloaded via two Scripps IP addresses.
I’m not sure how anyone could claim that the mere use of Wget constitutes a form of hacking, even under the extremely loose interpretations of the CFAA. However, as mentioned, the story does have similarities to the weev case — except this time we’re talking about reporters for a well known news service, rather than someone with a reputation as an internet troll. Hopefully, if the telcos do decide to actually file a lawsuit, it gets laughed out of court.