Three months after TerraCom Lifeline data breach, answers still elusive
10:00 AM, Jul 20, 2013
5:53 PM, Jul 19, 2013
WASHINGTON - Nearly three months after TerraCom Inc. learned that it was exposing tens of thousands of its customers to a heightened risk of identity theft, the Oklahoma City-based phone company still doesn't know how troves of sensitive documents made their way online.
Scripps News discovered that a data vendor for TerraCom and its affiliate, YourTel America Inc., had posted publicly online 170,000 customer-application records for Lifeline, a federal program that subsidizes phone service for the needy.
In an exclusive interview Thursday with Scripps News, TerraCom Chief Operating Officer Dale Schmick made his most extensive public comments on the breach. He said the company conducted two security audits of its systems and made "a ton of improvements" to its firewalls.
As reported by Scripps, some of those records included full Social Security numbers, bank-account information and driver's-license data. On April 26, Scripps alerted TerraCom that the sensitive information was freely available online, and TerraCom worked with its data vendor, Call Centers India, to safeguard the records within an hour.
But as of this week, Schmick still couldn't say why the files were ever publicly accessible.
"We are still waiting for the final details from the forensics folks on exactly what happened," he told Scripps. "We did act real quickly to stop it from happening, and we're working real hard to prevent it from happening again. I don't have the specifics today as to exactly what occurred."
Previously, TerraCom had blamed Scripps for accessing the publicly available records. But on Thursday, Schmick apologized for the breach.
"I think we've always been sorry that this happened. I think we've always taken responsibility for that," Schmick said. "… If anybody thinks we aren't sorry, if anybody out there thinks we didn't do our best to resolve this, then I apologize to them again."
Aside from TerraCom, the expansion of the federal Lifeline program from landline service to cellphones in 2005 led to a cascade of complaints about waste, fraud and abuse in the federal program -- such as participating companies unscrupulously expanding their subscriber bases and individuals wrongly receiving multiple phones. The program, paid for by a surcharge on phone bills, cost $2.2 billion last year. Participating phone companies each month are reimbursed a minimum of $9.25 per Lifeline customer.
Last week, TerraCom and YourTel America announced that they had fired their national sales force of 700 agents and employees, who operated in 23 states.
Schmick told Scripps that TerraCom had been planning the layoffs for "quite a while," but decided to accelerate its timetable after growing concerned in late June about complying with federal rules governing Lifeline.
TerraCom's fear was that its sales force could break the federal rules by prematurely telling an applicant that he or she was approved for Lifeline. The Federal Communications Commission, which oversees Lifeline,
wrote on June 25 that participating companies "may not provide an activated handset to a consumer whose eligibility has not been fully verified" by the company.
At an Indiana hearing about TerraCom's business practices earlier this month, Schmick said that TerraCom had sometimes approved phone service for Lifeline applicants but later found them to be ineligible.
During Thursday's interview, Schmick said he had confidence in most of the sales staff who had just been fired. "The vast majority of these people are hardworking, OK?" he said. "The vast majority of these people have done a good job for us."
They were fired, Schmick said, because TerraCom is overhauling its business model. "We've always been the kind of company that's always looking to reinvent itself, to be progressive, to be on the cutting edge of the industry," he told Scripps.
Schmick's interview comes as TerraCom is in turmoil. The company, which
paid $1 million last year to end a FCC probe, is under investigation in
Indiana. Attorneys general in Illinois and Indiana are also examining TerraCom's data-security practices in response to Scripps' reporting.
At a July 3 hearing convened by the Indiana Utility Regulatory Commission, Schmick defended company practices and the sales staff -- but didn't mention the layoffs.
So, Indiana investigators said Thursday that it came as a surprise to them to learn that TerraCom fired its sales force. The Indiana regulators
said in a filing that they were "caught off guard" by news of the mass firings, and ordered the company to explain by Aug. 1.
Schmick told Scripps that TerraCom looks forward to responding to Indiana regulators. "The fact of the matter is, at the time of that hearing we were in the notification process, and it would have been inappropriate to have stated it during the hearing," he said Thursday.
For Scripps' complete coverage on Lifeline, visit: http://www.shns.com/privacy-on-the-line
(If you have tips about the Lifeline program, email Scripps national reporter Isaac Wolf at email@example.com. Distributed by Scripps Howard News Service, www.shns.com.)