A federal investigation launched when a reporter’s Google search revealed a phone company storing the confidential information of hundreds of thousands of customers on an open Internet site has resulted in a $10 million fine against two carriers.
The Federal Communications Commission announced the fine today against Oklahoma City-based TerraCom Inc. and affiliate YourTel America Inc. for several violations of laws protecting the privacy of phone customers’ personal information.
The FCC alleges the companies revealed the personal data of up to 305,000 low-income consumers through “lax data security practices,” exposing them to identity theft and fraud, according to a news release summarizing the action.
FCC enforcement officials said the two companies stored Social Security numbers, names, addresses, driver’s licenses and other sensitive information “on unprotected Internet servers that anyone in the world could access.”
The information was collected to show eligibility for Lifeline, a federal program that subsidizes phone service to qualified low-income households.
Travis LeBlanc, chief of the FCC’s Enforcement Bureau, said during a telephone news conference the commission’s action “sends a clear signal that we will not tolerate conduct that puts American consumers at risk of financial fraud and identity theft.”
Messages left with the carriers’ corporate headquarters seeking comment on the commission’s action were not immediately returned.
LeBlanc said the investigation began after a reporter from Scripps News discovered the data breach in 2013 and wrote about it.
Concerns about waste and fraud in the Lifeline program’s wireless phone services had prompted the FCC to start requiring carriers to better document applicant’s eligibility in 2012, but the carriers were also warned not to retain copies of the documentation once they verified eligibility.
Scripps found that records from residents of at least 26 states were exposed on the Internet by an India-based contractor hired by TerraCom and YourTel to review applications and store data.
Company officials later said they verified that the records of 343 customers had been viewed by unknown and potentially unauthorized individuals on the internet, although the records of who logged in when were limited. The companies notified those clients of the breach, but did not give specific notice to the rest.
The FCC said the carriers violated the law in two ways: failing to secure the data as called for by law and by misleading customers about privacy protections and failing to notify them of the breach.