Last fall, when Linda Mendez was offered discount phone service through a federal program for the poor, the San Antonio mom thought it was too good to be true. She signed up anyway.
Mendez, 51, works the graveyard shift at a university gym. She uses many of her cellphone’s 250 minutes a month to check on her husband and four young children, including a daughter with Down syndrome.
“I’m always telling my husband, ‘Where’s my phone?’ ” Mendez said, adding that it also helps her stay in touch with her three adult children and 13 grandchildren. “I need it because something’s usually happening.”
For all the convenience afforded by Lifeline, the federal program that subsidizes phone service for qualified low-income households, Mendez now says her initial doubts were justified.
Tens of thousands of Lifeline applicants, including Mendez, were exposedthis spring to the risk of identity theft by the phone carriers that signed them up for the program.
More than 170,000 records from two participating companies — O klahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc. — were posted online, a Scripps News investigation has found. The records, from residents of at least 26 states, include Social Security numbers, dates of birth and information about participation in other government-assistance programs. Of those records, 343 were viewed by unknown individuals, an official for both companies acknowledged.
Scripps unearthed the documents through a simple Google search and alerted TerraCom and YourTel of itsfindings April 26. Within hours, the records no longer were publicly accessible.
Mendez, shown a copy of the Lifeline application she’d completed for TerraCom, was shocked.
“How can they make it so easy like this for people to steal somebody’s identity?” TerraCom officials declined numerous requests for an interview, though a spokesman for the company said it has notified federal and state officials of the security breach.
Lifeline, begun in 1985 to aid low-income families, was expanded to include wireless service in 2005. Adding cellphones also created problems: Some customers received multiple phones. Some carriers sent them to people who’d never applied.
Liberal distribution pays off for the hundreds of phone companies participating in Lifeline. They’re reimbursed from $9.25 to $34.25 per line per month. American consumers pick up the tab for the program — which last year cost $2.2 billion — and other federal communications efforts through an average $2.73 monthly surcharge on their phone bills.
Growing concerns about waste, fraud and abuse led the Federal Communications Commission last year to tighten program rules. It limited household reimbursement to one phone line, for instance, and required Lifeline carriers to document applicants’ eligibility. Before that, a customer’s signature was sufficient.
In response, the number of subscribers dropped from a peak of 18.2 million last August to 13.2 million last month.
New responsibility for vetting applicants is driving carriers to collect more sensitive information — w hich they’re expressly forbidden from keeping.
Carriers “must not retain copies of applicant’s personal documentation that is viewed to validate eligibility,” the Universal Service Administrative Co., the nonprofit that runs the Lifeline program, instructs on its website.
However, personal documents collected by TerraCom and YourTel America workers and dating back to September were posted to the Internet, Scripps found. The records were being stored by Call Centers India, a contractor hired to help the carriers determine Lifeline applicants’ eligibility, according to TerraCom attorney Jonathan Lee.
The FCC, which declined interview requests, is “aware of this incident,” an FCC spokesman wrote in an email, noting that a carrier could befined up to $1.5 million for a single violation of privacy.
The commission and Terra-Com have had previous dealings. In February, TerraCom and YourTel together paid $1 million infines and “voluntary” contributions to close an FCC investigation into their billing practices, according to the commission. TerraCom also faces ongoing inquiries about its business practices from regulators in Oklahoma and Indiana.
The Indiana attorney general’s office, responding to Scripps’ reporting, has launched an investigation into the release of TerraCom applicants’ personal records. The Texas attorney general’s office also is making inquiries about the publicly posted information.
The unprotected records came to light through a reporter’s Google search of TerraCom.
The records include 44,000 application or certification forms and 127,000 supporting documentsor“proof” files, such as scans or photos of driver’s licenses, tax records, pay stubs and passports. Taken together, the records expose residents of at least 26 states.
The application records, drawn from 18 of those states, generally date from last September through November. The proof files, from last September through April, include residents of at least eight remaining states.
Immediately after Scripps notified TerraCom of the records discovery, the phone carrier contacted the company it had hired to review applications and store data. Call Centers India, which also does business under the name Vcare Corp., began an “intensive investigation of its system,” wrote Lee, the lawyer for TerraCom and YourTel.
The phone carriers and Vcare, which primarily operates from a New Delhi suburb, determined that 343 applicants’ personal data files “were accessed without authorization” by unknown parties, a TerraCom spokesman said.
But it’s not clear that Terra-Com can make a full accounting. As TerraCom lawyer Lee pointed out in a letter, Vcare’s log of website visitors does not extend beyond 30 days — in this case, from late March through April 26. Another TerraCom spokesman could not answer whether any files, if posted earlier, were accessed.
Dale Schmick, chief operating officer for both TerraCom and YourTel, said in a written statement that Scripps journalists put “applicants’ personal data files at risk when they downloaded the records.”
He added, “This is a very serious matter and we are actively investigating the full extent of any security breach.”
TerraCom also accused Scripps of accessing the records illegally. Scripps denied the allegation and offered to demonstrate how it found the documents online.
TerraCom said it has reached out to the 343 applicants whose files were known to have had unauthorized access. The company also has set up a toll-free consumer hotline: 855-297-0243.
Mendez, in San Antonio, urgently wants to protect her information. She already has experienced the strain of ID theft through an unrelated case, she said: Over the past several years, “somebody’s been using my husband’s Social Security” number, creating complications with the family’s tax refund checks and other benefits.
Three weeks after learning of the security breach, Mendez said she’d phoned TerraCom at least three times to seek reassurance that her data were secure.
“They just say, ‘We don’t know nothing about that,’ ” Mendez told Scripps. “They’re never going to call me back. I don’t think they want to.”
Contact Scripps reporter Isaac Wolf at email@example.com. Additional reporting by Scripps’ Jim Osman at jim. firstname.lastname@example.org.
Why post it? Why make it available online under any circumstances? How was this Indian company vetted? What investigation did the Americans do to check on them? Why did it take a reporter to find this breach?”
S. Jenell Trigg, a Washington attorney who has led seminars on privacy laws
■ Tens of thousands of low-income Americans who’d applied for subsidized phone service through the federal Lifeline program were put at heightened risk for identity theft.
■ More than 170,000 sensitive records — many of which include full Social Security numbers or financial account information — were posted publicly online, exposing residents from at least 26 states.
■ Scripps News discovered the records through a simple Google search. They were collected for two Lifeline carriers, Oklahoma City-based TerraCom Inc. and affiliate YourTel America Inc.
■ The phone companies said records of 343 individuals were accessed by unknown parties between March 24 and April 26.
■ The records uncovered by Scripps date back eight months. It’s unclear how TerraCom could fully assess the breach because its 30-day history of website visitors doesn’t cover the entire period when records were publicly available.
■ The FCC forbids carriers from retaining Lifeline applicants’ proof of program eligibility, but the publicly posted TerraCom records include 127,000 such records dating back to September.
At least 26 states had residents who applied for the federal Lifeline phone program and subsequently had personal records available on an unsecured website earlier this spring. The list is based on a partial, not comprehensive, review of more than 170,000 records posted publicly. Some records contain information indicating applicant residence in multiple states.