TerraCom and YourTel threaten journalists who exposed massive personal data breach

Journalists discovered that two companies had posted the personal data of 170,000 customers online. The leak, which exposed the victims to identity theft and fraud, was reportedly so bad that social security numbers, passport scans, financial data and home addresses were indexed by search engines. Rather than merely address the problem, however, TerraCom and YourTel threatened the reporters, referring to them as “hackers” and accusing them of “numerous violations of the Computer Fraud and Abuse Act.”


David Giles, Scripps’ deputy general counsel, responded to the accusation that the reporters “hacked” the information by calling on the companies to stop the “name calling and the legal posturing” and instead address the “apparent careless security practices” raised by the story. “Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote in a letter sent to TerraCom and YourTel’s lawyers earlier this month.

It's interesting how readily many of us pattern-recognize this as a classic "hacker tragedy," whereby clueless stupids kill the messenger who was trying to help them. But it seems simpler than that, to me: is this not simply a case of criminals breaking data protection laws in pursuit of their own convenience, then threatening the people who caught them?

See, for example, this part of the legal nastygram they sent to the journos:

"Because the Scripps Hackers have put the Companies in the position of having to incur the costs of potentially complying with more than 20 state data breach notification laws, the Companies are likely to look to Scripps to reimburse them for those costs."

Translation: "If only we hadn't been found out, we wouldn't have to comply with the law. You'll pay for this!" *shakes fist*


  1. In the past when security holes in essential services were identified by using the service, not by attacking or probing the service, the owners of the running service were notified by the discoverer and given a grace period to fix the bug.  Grace periods where about 3 to 6 months which is more than enough time to fix the bug.  After the grace period full disclosure was made to the public whether the bug was fixed or not, especial if it wasn’t so people could protect their data.  Disclosure was usually made on the bugtraq email list.

    Now the act of discovering and disclosing security holes have been made illegal.  This intolerable, grossly unjust legal construct can not be allow to continue and I have no respect for it all.  It is wrong.

    In the short term a security consortium could be created to receive security notification, manage remediation, and protect the discoveries.  Perhaps a legal team can be bolted on to SecurityFocus.com.

    In the meantime, the real crackers are accessing your data.

  2. There is a part of me that looks forward to the day when social security numbers, driver’s license numbers, etc. will all have to be abandoned because they are unsupportable in an era of internet connectedness and poor software design and operations.
    Just imagine not having to worry about identity theft – because for both practical reasons and even legal reasons, digital identities are both given up as a bad idea – and made illegal to attempt too.  (I’d like to make the case that poorly managed “digital identity systems” that get hacked, etc. put the operators at risk of LIBEL when the “digital identity” is used by someone else to run up debts, commit crimes or mischief, etc.)

    Certain things would be harder – such as quick loans that can quickly put you in over your head/ability to repay.  But the relief that your digital identity can’t be stolen – because it’s impossible to have one – that relief would be incredible.

  3. The whole concept of “identity theft” is wrong. It is just a way of shifting responsibility from careless institutions to individuals.For example:Someone goes to a bank , convinces the bank that they are me , and the bank gives them some of the bank’s money. Someone stole the banks money, not my identity, and not my money. This concept that a third party can create some sort of independent “identity” I am responsible for , and that somehow someone can “steal” it , and that it is my fault that idiots can’t tell who they are doing business with is so absurd. In 1991 some reporter in Boston coined the term “identity theft” when we had perfectly good terms like impersonation , fraud , and other terms for conning stupid people. Then institutions seized on the idea as a way of shifting responsibility for their failures on to individuals.If institutions can’t figure out who they are dealing with, then that should be the institutions’ problem not the problem of people who are being impersonated.

    1.  hugh

      This is exactly the way I have always framed the issues in my mind as well.. 

      Not only does it wrongly shift the responsibility to you, but it does the cost as well. Then, as an extra cherry on this shit cake, they will gladly charge you 14.95 (or more) so that you can monitor your information and ensure that their poor practices do not ruin your life…  Nice people, from start to finish..

Comments are closed.