Privacy on the Line: Security lapse exposes some Lifeline phone customers to ID theft risk
Isaac Wolf, Scripps News
10:01 AM, May 19, 2013
10:48 AM, May 20, 2013
Last fall, when Linda Mendez was offered discount phone service through a federal program for the poor, the San Antonio mom thought it was too good to be true. She signed up anyway.
Mendez, 51, works the graveyard shift at a university gym, where she keeps the building clean and stocked with towels. She uses many of her cellphone's allotted 250 minutes each month to call the family's modest house in the evening while she's at work, checking on her husband and four young children.
Did you do your homework? Are you ready for bed?
Mendez's phone also comes in handy during the day. After getting off work at 5 a.m., Mendez prepares her kids for school. She sleeps for several hours and then attends to household chores, picks up her children and stays on top of their appointments. That's particularly important for Mendez because her 11-year-old daughter, Denise, has Down syndrome.
"I'm always telling my husband, ‘where's my phone?'" she said, adding that it also helps her stay in touch with her three adult children and 13 grandchildren.
"I need it because something's usually happening."
For all the convenience afforded by Lifeline, the federal program that subsidizes phone service for qualified low-income households, Mendez now says her initial doubts were justified.
Her nine-digit Social Security number, her birth date, home address and the most sensitive details about her family's finances were available to anyone doing an online search this spring
. Tens of thousands of Lifeline applicants, including Mendez, were exposed to the risk of identity theft by the phone carriers that signed them up for the program and were supposed to keep their information safe.
More than 170,000 records from two participating companies -- Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc. -- were posted online, a Scripps News investigation has found. The records, from residents of at least 26 states, include Social Security numbers, dates of birth and information about participation in other government-assistance programs. Of those records, 343 were viewed by unknown, and potentially unauthorized, individuals, an official for both companies acknowledged.
Scripps unearthed the documents through a simple Google search and alerted TerraCom and YourTel of its findings on April 26. Within hours, the records no longer were publicly accessible.
Mendez, shown a copy of the Lifeline application she'd completed for TerraCom, was shocked
. The inherent risk from posting vital private information online is "just destroying us," she said.
"How can they make it so easy like this for people to steal somebody's identity?"
TerraCom officials declined numerous requests for an interview, though a spokesman for the company said it has notified federal and state officials of the security breach.
The breach is the latest in a series of problems in the Lifeline program. Begun in 1985 during the Reagan administration to aid low-income families in finding and retaining jobs, among other aims, Lifeline was expanded in 2005 to include wireless service. Cellphones have proven much more prone to abuse, and harder to track, than landlines. Some customers have received multiple phones. Some carriers have sent cellphones to people who'd never applied -- or who were dead.
Liberal distribution pays off for the hundreds of phone companies participating in Lifeline. They're reimbursed from $9.25 to $34.25 per line per month. American consumers pick up the tab for the program -- which last year cost $2.2 billion -- and other federal communications programs through an average $2.73 monthly surcharge on their phone bills.
Growing concerns about waste, fraud and abuse led the Federal Communications Commission to announce last year that it would tighten program rules. It limited household reimbursement to either one landline or one cellphone line, for instance, and required Lifeline carriers to document applicants' eligibility. Before that, a customer's signature was sufficient.
In response, the number of subscribers dropped from a peak of 18.2 million last August to 13.2 million last month.
New responsibility for vetting applicants is driving carriers to collect more sensitive information -- which they're expressly forbidden from keeping.
Carriers "must not retain copies of applicant's personal documentation that is viewed to validate eligibility," the Universal Service Administrative Co., the nonprofit that runs the Lifeline program,
instructs on its website.
However, personal documents collected by TerraCom and YourTel America workers and dating back to September were posted to the Internet, Scripps found. The records were being stored by Call Centers India, a contractor hired to help the carriers determine Lifeline applicants' eligibility, according to TerraCom attorney Jonathan Lee.
Mendez, the San Antonio mom, said she signed up for Lifeline after a TerraCom agent called the family's landline and solicited her business. To enroll, Mendez provided her full Social Security number and birth date, then mailed in proof that her family receives other government assistance. Two weeks later, the cellphone arrived.
The FCC, which declined interview requests, acknowledged it knew of TerraCom's records release. "While we don't generally confirm or deny the existence of a specific investigation, we are aware of this incident," an FCC spokesman wrote in an email, noting that a carrier could be fined up to $1.5 million for a single violation of privacy.
The commission and TerraCom have had previous dealings. In February, TerraCom and YourTel together paid $1 million in fines and "voluntary" contributions to close an FCC investigation into their billing practices,
according to the commission. TerraCom also faces ongoing inquiries about its business practices from regulators in
Oklahoma (http://bit.ly/okpomotion) and
The Indiana attorney general's office, responding to Scripps' reporting, has launched an investigation into the release of TerraCom applicants' personal records. The Texas attorney general's office is also making inquiries about the publicly posted information.
Indiana and Texas have the highest numbers of applicants potentially at risk -- 17,419 and 10,799, respectively -- a partial analysis of the records shows.
Among them is Charles Daye of Indianapolis. His Social Security card, state ID and Hoosier Works (food stamp) card were uploaded. "I hate it being online," the 56-year-old said from the doorstep of his house after being shown his completed Lifeline application.
The unprotected TerraCom and YourTel records came to light through the simplest of tools: a reporter's Google search of TerraCom.
The records include 44,000 application or certification forms and 127,000 supporting documents or "proof" files, such as scans or photos of food-stamp cards, driver's licenses, tax records, U.S. and foreign passports, pay stubs and parole letters. Taken together, the records expose residents of at least 26 states.
The application records, drawn from 18 of those states and generally dated from last September through November, list potential customers' names, signatures, birth dates, home addresses and partial or full Social Security numbers. The proof files, from last September through April, include residents of at least eight remaining states.
Immediately after Scripps notified TerraCom of the publicly posted records, the phone carrier contacted the contractor it had hired to review applications and store data. Call Centers India, which also does business under the name Vcare Corp., began an "intensive investigation of its system," wrote Lee, the lawyer for TerraCom and YourTel.
Vcare, with a corporate footprint in Seattle, primarily operates from a suburb of New Delhi, India, its
Facebook page indicates.
Working with the phone carriers, it determined that 343 applicants' personal data files "were accessed without authorization" by unknown parties, a TerraCom spokesman said.
But it's not clear that TerraCom can make a full accounting of how many applicant files were accessed. As TerraCom lawyer Lee pointed out in a letter, Vcare's log of website visitors does not extend beyond 30 days -- in this case, from late March through April 26. Another TerraCom spokesman could not answer whether any files, if posted earlier, had been accessed.
Dale Schmick, chief operating officer for both TerraCom and YourTel, said in a written statement that Scripps journalists put "applicants' personal data files at risk when they downloaded the records."
He added, "This is a very serious matter and we are actively investigating the full extent of any security breach."
TerraCom also accused Scripps of accessing the records illegally. Scripps denied the allegation and offered to demonstrate how it found the documents online.
Privacy experts questioned TerraCom and YourTel practices that led to the information's release.
"Why post it? Why make it available online under any circumstances?" said S. Jenell Trigg, a Washington attorney who has led seminars on privacy laws. "How was this Indian company vetted? What investigation did the Americans do to check on them?"
And, she added, "Why did it take a reporter to find this breach?"
A TerraCom spokesman could not answer but said the company "is still investigating."
Privacy risks in the Lifeline program extend beyond cyberspace.
While recruiting potential customers for Lifeline service outside an Indianapolis food stamp office, Dan Smith jotted applicants' names, addresses and partial Social Security numbers in a notebook.
Smith, 53, used his own cellphone to take pictures of applicants' food stamp and Medicaid cards as evidence for Miami-based SafeLink Wireless, for which he worked sporadically for several months beginning last summer. The company -- one of the largest Lifeline carriers and part of Mexican tycoon Carlos Slim's America Movil wireless company -- paid him $4 per applicant, translating to as much as $150 for a few hours on a good day.
Every few days, manager Carl Archer would stop by Smith's table and collect the sheets of paper Smith had filled with names, addresses and numbers, Smith said. Then, Smith emailed him the images. He'd wait a few days before deleting them, in case Archer had a question or needed them resent, Smith said. No one ever checked his phone or asked what he'd done with his written notes to make sure they'd been destroyed, he added.
Reached by phone later, Archer disputed Smith's account but wouldn't say how Smith got his applicants into the SafeLink system.
SafeLink spokesman Jose Fuentes said that Smith's practice of transcribing Social Security numbers violated company policy -- and that it led to his firing.
The company requires agents to take online training that includes confidentiality guidance, and to sign forms guaranteeing they will protect customer data, said Fuentes, adding that SafeLink also routinely conducts random audits.
Smith said he never knew about such rules and training.
No matter how comprehensive the privacy safeguards, sensitive information slipped out. Archer, the Indianapolis manager, posted an applicant's Hoosier Health Card -- complete with name, date of birth and Medicaid card number -- on his Facebook page.
Scripps notified SafeLink about the Facebook posting. Archer subsequently was terminated, Fuentes wrote in an email, noting that SafeLink has begun checking its representatives' social-media pages.
To improve Lifeline oversight, the FCC is building two new databases. One will aggregate client lists from a range of federal government-assistance programs. The other will list all Lifeline customers to prevent duplication.
But the idea of letting carriers tap into such a centralized system -- expected to be
built by year's end --has raised privacy concerns.
"Providing carriers with access to a list of the governmental means-tested programs … could violate the applicant's privacy right," the California Public Utility Commission wrote in
an April 2012 comment to the FCC.
Even with electronic protections built into the nascent database, crooks might still find a way to access and abuse the sensitive records -- as they've already been doing offline.
Last September, Chauncey Hicks allegedly posed as an agent for Life Wireless, another Lifeline participant, to gain access to and steal from the food stamp accounts of 47 Chicago-area residents who thought they were applying for Lifeline service, according to police documents and interviews.
Hicks never worked for Life Wireless -- but his wife had. Terminated last August, she hadn't yet returned the marketing materials and roughly 200 phones when Hicks allegedly began handing them out in exchange for food stamp account information and access codes. Authorities found more than 300 completed Lifeline applications in the closet of Hicks' master bedroom, a police report shows.
Hicks -- in jail awaiting trial on 10 felony counts including charges of identity theft, theft, financial crimes and organized crime -- could not be reached for comment.
Life Wireless attorney Michael Geoffroy emphasized that the Covington, Ga., firm tries to block rogue agents through background checks, audits and other measures. But no oversight system is perfect, he said: "You can't be careful enough. We have to realize there are other people in our agents' lives."
Several months elapsed between when Hicks allegedly stole data on welfare benefits and the time he tapped it to purchase groceries and cases of Red Bull, police records show.
Privacy experts say this time lapse is common, making it even more difficult for those whose information has been compromised to stay on guard.
Trigg, the ID theft expert, said TerraCom should notify all applicants whose information was posted online.
TerraCom said it has reached out to the 343 applicants whose files were known to have had unauthorized access. The company also has set up a toll-free hotline -- 855-297-0243 -- on which "live call-center representatives" will guide consumers on "steps to protect their financial information" and to guard against ID theft, Schmick said in a statement.
Mendez, in San Antonio, urgently wants to protect her information. She said she already has experienced the strain of ID theft through an unrelated case: Over the past several years, "somebody's been using my husband's Social Security" number, which has created complications with the family's tax refund checks and other benefits, she said.
Three weeks after learning of the security breach, Mendez said she'd phoned TerraCom at least three times to seek reassurance that her data is secure.
"They just say, ‘We don't know nothing about that,' " Mendez told Scripps. "They're never going to call me back. I don't think they want to."