Response from TerraCom, Inc.

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.knoxnews.com/news/2013/may/18/response-terracom-inc/

"On April 26, 2013, the companies were made aware of the fact that
Scripps Howard News Service was able to access personal data files of
applicants seeking enrollment in the program.

We deeply regret that this incident occurred, and we are sorry that
personal data of Lifeline applicants was recently accessed by Scripps
Howard News Service.  This is a very serious matter and we are
actively investigating the full extent of any security breach in our
computer systems and we've taken steps to eliminate any potential
release of personal data in the future.

This is the first time that we or our third party vendor have
experienced a breach of security and we are committed to doing all
that is possible to ensure that similar incidents do not occur in the
future.

Upon being notified of the breach, we took immediate steps to secure
the personal data of applicants to prevent any further unauthorized
access to the files and because of the additional safeguards now in
place, we are fully confident that the applicants' personal data is
secure.

Based on our ongoing investigation – being conducted in coordination
with an independent digital forensics team – there appears to be no
evidence to indicate that a malicious attack occurred on our computer
systems, nor does it appear that any applicant has been injured as a
result of the unauthorized access of personal data files by the news
organization. Our digital forensics analysis shows that the news
service didn't notify us when they first discovered that a few hundred
files were searchable on the Internet, and instead put more than
100,000 applicants' personal data files at risk when they downloaded
the records onto their computers.  Although the news service will not
hand over the data and will not verify what security measures they've
taken to protect the data, they've assured us that they will not
voluntarily disclose that information to third parties. There were
also a few hundred applicant personal data files accessed without
authorization by third parties other than the news service and we are
committed to answering their questions and assisting them through this
process. To the extent that new information comes to light regarding
this matter we will take appropriate action to protect our customers
and comply with all relevant laws and regulations.

We have established a toll-free number (1-855-297-0243) for applicants
and customers to contact us with questions they may have.  Live call
center representatives are available to answer their questions and
provide guidance on steps they can take to protect their financial
information and guard against the potential for identify theft.

For the Lifeline applicants whose data was accessed without
authorization by someone other than the news service, we will provide
them with instructions on how to enroll in a credit-bureau monitoring
service at no cost to them. We apologize for any inconvenience this
situation has caused consumers and we are committed to helping them
through this process."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.