WASHINGTON – Two phone companies — TerraCom Inc. and YourTel America Inc. — unwittingly posted the Social Security numbers, driver’s licenses and other sensitive data of up to 300,000 clients to the Internet, an investigation found, and federal regulators said on Friday they plan to fine the firms.
As consumer data breaches go, the case — and its $10 million fine — is relatively small. But the incident is alarming because of how it unfolded: The companies participate in a government program called Lifeline, which subsidizes phone service for poor consumers. To crack down on fraudulent claims, federal regulators ordered carriers to collect identifiable information.
TerraCom Inc. and YourTel America, which are jointly owned, complied, but were so careless with the files that a reporter stumbled upon them during a simple Google search, according to the Federal Communications Commission.
In a written statement released Friday, Dale Schmick, chief operating officer of TerraCom Inc. and YourTel America Inc., said the company has since increased its data security efforts and completed “multiple security audits to prevent future breaches from taking place.”
“When faced with this instance of unauthorized access, we fully complied with state laws regarding notification of affected consumers,” Schmick wrote. “We look forward to working with the FCC to resolve this matter and welcome the opportunity to correct the record with regard to our security processes.”
But according to FCC investigators, even after company officials learned that the information could be accessed online, they failed to notify all potentially affected consumers. This deprived consumers “of any opportunity to take steps to protect their personal information from misuse by Internet thieves,” the FCC wrote in its announcement.
FCC officials said the companies were required to collect sensitive data from consumers to check their eligibility. But, the FCC says the companies should have destroyed the data as soon they verified that an applicant qualified for financial assistance. Instead, the data was stored in a format accessible to the Internet from September 2012 through April 2013.
“Consumers trust that when phone companies ask for their Social Security number, driver’s license and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world,” said Travis LeBlanc, chief of the FCC’s Enforcement Bureau. “When carriers break that trust, the commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”
The FCC investigation was triggered by Isaac Wolf, a reporter with Scripps Howard News Service. According to a May 2013 story posted by the news organization, an online search into TerraCom resulted in a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract with TerraCom and YourTel. Eventually, Wolf and his editors discovered more than 170,000 records that included Social Security numbers, home addresses and financial accounts.
According to a letter posted by Scripps Howard, a lawyer for the phone companies accused the news organization of violating anti-hacking laws. The FCC confirmed Friday that its investigation was prompted by the Scripps Howard news report.
Proponents of the Lifeline program say the federal subsidies are critical to ensuring that households that fall well-below the poverty line have access to at least one phone in case of emergency and to aid job prospects. The program began in 1985 and expanded in 2005 to include wireless phones. Because of the explosion in wireless technology since President Barack Obama took office in 2008, conservatives have dubbed Lifeline “Obama phone” or “Uncle Sam’s Unlimited Plan.”
“It’s a government-run, taxpayer-funded program that’s running wild and costing more and more,” said Rep. Tim Griffin, R-Ark., who proposed legislation to eliminate the program.
The $10 million fine was the FCC’s first data security case and its largest privacy action. In September, the FCC reached a $7.4 million settlement with Verizon regarding alleged unlawful marketing to customers without their consent or notification of privacy rights.
Follow Anne Flaherty on Twitter at https://twitter.com/AnneKFlaherty