Journalists discovered that two companies had posted the personal data of 170,000 customers online. The leak, which exposed the victims to identity theft and fraud, was reportedly so bad that social security numbers, passport scans, financial data and home addresses were indexed by search engines. Rather than merely address the problem, however, TerraCom and YourTel threatened the reporters, referring to them as "hackers" and accusing them of "numerous violations of the Computer Fraud and Abuse Act."
Slate:
David Giles, Scripps' deputy general counsel, responded to the accusation that the reporters "hacked" the information by calling on the companies to stop the "name calling and the legal posturing" and instead address the "apparent careless security practices" raised by the story. "Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation," Giles wrote in a letter sent to TerraCom and YourTel's lawyers earlier this month.
It's interesting how readily many of us pattern-recognize this as a classic "hacker tragedy," whereby clueless stupids kill the messenger who was trying to help them. But it seems simpler than that, to me: is this not simply a case of criminals breaking data protection laws in pursuit of their own convenience, then threatening the people who caught them?
See, for example, this part of the legal nastygram they sent to the journos:
"Because the Scripps Hackers have put the Companies in the position of having to incur the costs of potentially complying with more than 20 state data breach notification laws, the Companies are likely to look to Scripps to reimburse them for those costs."
Translation: "If only we hadn't been found out, we wouldn't have to comply with the law. You'll pay for this!" *shakes fist*
