A month ago, two phone carriers participating in a federal benefit program were alerted that sensitive customer records, including Social Security numbers and bank-account records, were freely posted online.
Now, Oklahoma-based TerraCom Inc. and affiliate YourTel America Inc. -- the companies that collected the records -- say they don't plan to notify all affected consumers of the privacy breach, which affects residents of 26 states.
Indiana Attorney General Greg Zoeller joined frustrated customers by saying TerraCom "really needs to take full responsibility" for the records' release. His office has launched an investigation of the company.
A Scripps News investigation found posted online more than 170,000 application records for Lifeline, a benefit that subsidizes phone service for the needy. Many of the records included full Social Security numbers, tax filings and other highly sensitive details.
A Scripps reporter first located the records -- which had no password protection -- through a simple Google search, and notified TerraCom officials on April 26.
TerraCom has decided not to contact individually all the tens of thousands of consumers whose information was publicly accessible. For the vast majority, "the risk to identity theft and fraud is low," a TerraCom spokesman wrote in an email to Scripps on Friday.
Earlier in May, TerraCom mailed letters to 343 applicants who are at heightened risk of ID theft, the spokesman said. It also has started contacting all exposed applicants from four states -- Texas, Minnesota, Nevada and Illinois -- because of stringent state laws there.
The TerraCom spokesman said Friday there are 40,000 such applicants in those four states, but he would not say how many applicants nationwide may have had their sensitive information revealed.
In the month since Scripps informed TerraCom of the privacy breach, the phone company has accused Scripps of "hacking." Scripps has denied the charge, posting video showing how it located the records, and offering to meet with TerraCom officials and explain how it accessed the records. TerraCom officials have declined interview requests and have not provided any evidence for their allegations.
"TerraCom has done itself a disservice by trying to shift the blame, because I am looking for people to recognize their responsibility," said Zoeller.
Zoeller said TerraCom should be working harder to protect its customers' information. "Frankly, they need to spend a little more money protecting the security of that data file and not leave it to consumers," he said.
The TerraCom spokesman said Friday that residents of 20 states had been affected by the breach. Scripps, in reviewing some of the publicly posted records, has counted residents of 26 states.
Some of those who have been contacted by TerraCom say they are confused. Elton Montgomery, 53, of Gary, Ind., said he received a letter from TerraCom alerting him that his application was viewed by an unknown party. Montgomery said he also received an offer for free credit monitoring, but he's not sure whether he should fill out the form.
"It still don't make no sense to me," he said. "This shouldn't have happened in the first place."
(Email Scripps reporter Isaac Wolf at firstname.lastname@example.org.)