US Operators Fined $10 Million After Data Security Shambles

Two US mobile operators have been fined $10 million jointly by the FCC after they stored customer information in publically accessible folders on the internet with zero security in place.

TerraCom and YourTel were named and shamed in a notice from the regulator on Friday.

It details how the firms collected names, addresses, social security numbers, driver’s licenses, and “other proprietary information (PI)” belonging to over 300,000 customers. They then stored it on unprotected servers “that anyone in the world could access with a search engine and basic manipulation.”

There was no attempt made to implement even password protection or encryption, exposing their customers to the risk of identity theft and other “serious consumer harms,” the FCC said.

The firms also misled customers in stating in their privacy policies that they had “implemented technology and security features” to safeguard sensitive data, when in fact they did not, the notice continued.

What’s more, when a data breach eventually occurred the firms allegedly failed to notify all potentially affected customers, compounding the threat of successful identity fraud.

The operators were apparently busted by an investigative reporter working for the Scripps Howard News Service, who in early 2013 discovered their almost non-existent approach to information security.

The FCC explained how:

“Between March 24, 2013, and April 26, 2013, Scripps accessed at least 12,806,611 confidential records and documents submitted by subscribers and applicants for the companies’ services. Scripps located a consumer’s data file by conducting a simple Google search. Once it had located a single file, Scripps shortened that file’s URL and obtained access to the entire directory of applicant and subscriber data. On April 26, 2013, Scripps alerted the companies that it had accessed their servers and had retrieved the PI of subscribers and applicants stored there.”

The operators even went as far as contacting the FCC Enforcement Bureau after this to complain that the reporter had illegally 'hacked' its servers.

The firms offer a phone service for low-income households in the US known as Lifeline Assistance, which requires customers to submit financial records online to prove that they are eligible for the government-backed scheme.

They contracted IT services firm Vcare to handle the data storage and security – a job that was not done very well, it appears.

What’s Hot on Infosecurity Magazine?