The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information.
According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers in unencrypted form on unprotected Internet servers that anyone in the world could access.
The information was gathered to demonstrate eligibility for the Lifeline program, which is a Universal Service Fund program that provides discounted phone services for low-income consumers. The companies allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud.
In their privacy policies, the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.” Yet, from September 2012 through April 2013, the sensitive documents they collected from consumers were apparently stored in a format accessible via the Internet and readable by anyone.
Ultimately, the personal information of up to 305,000 low-income consumers was apparently exposed to public view. Yet even after the companies learned of this security breach, they allegedly failed to notify all potentially affected consumers, depriving them of any opportunity to take steps to protect their personal information from misuse by Internet thieves.
“In early 2013, an investigative reporter working for Scripps Howard News Service (Scripps) discovered that the Companies were storing PI and documents submitted by low income Lifeline service applicants on an unprotected Internet site,” the FCC explained how the discovery of the information came about in a notice.
“Between March 24, 2013, and April 26, 2013, Scripps accessed at least 128,066 confidential records and documents submitted by subscribers and applicants for the Companies’ services. Scripps located a consumer’s data file by conducting a simple Google search. Once it had located a single file, Scripps shortened that file’s URL and obtained access to the entire directory of applicant and subscriber data. On April 26, 2013, Scripps alerted the Companies that it had accessed their servers and had retrieved the PI of subscribers and applicants stored there.”
The companies reacted by sending a “cease and desist” letter to Scripps, then contacted the Enforcement Bureau and claimed that they were victims of a security breach resulting from unauthorized access to personal data by an investigated reporter.
This is the second major enforcement action the Commission has taken to protect consumer privacy in the last two months. In September, the Commission’s Enforcement Bureau reached a $7.4 million settlement with Verizon to address the company’s unlawful marketing to two million customers without their consent or notification of their privacy rights.