Gannett Paper Exposes Gun Owners, Hides Hacks


Just a few hours after I posted a blog that referenced a suburban New York newspaper's decision to publish a map showing the names and addresses of all gun permit holders in two counties, a curious thing happened.

I received an email that warned this newspaper's website had been hacked multiple times -- and that the "personal, private data" of its readers had been distributed worldwide. According to the email, the website of The Journal News, a Gannett newspaper in Westchester County, N.Y., has been hacked four times since it published that map.

And in a stunning apparent reversal of its quest for transparency, the paper has not bothered to notify any of the affected readers -- more than 10,000 of them, to be precise.

The email was interesting, but I probably would have blown it off as spam if it hadn't included some of the data that was breached -- specifically my own name, address, and phone number, which I had provided to the site years ago when I registered to comment on a story.

So now I was intrigued.

The email allegedly came from the Economic Guardian, which claims to publish a financial newsletter that "covers the conservative side of stock market news." I couldn't find a website or any of the Economic Guardian's newsletters. Normally, that would be enough to get me to delete the email. But how did it have my personal information? And what was the point of the email?

Apparently anticipating that most people would wonder the same thing, the email explained that it was simply attempting to do something The Journal News had failed to do: Alert the victims of the data breach.

"To be blunt, we have no idea why the Journal News has not notified you," it stated. "They have left you in jeopardy for over two months."

One hack was acknowledged on the Gannett Blog, a private site operated by a former USA Today editor and reporter who has been blogging about Gannett Co. Inc. since 2007. But the paper itself has been strangely silent. It never notified me that my personal information (including my password) had been compromised. What's worse, I have a personal connection to the paper. I once worked there, covering real estate for its business section.

In fairness, The Journal News has been busy recently. After publishing the gun map, it had to hire RGA Investigations, a security firm, to provide armed guards to protect its buildings and its executives' homes. (I wonder if those guards were among the people identified as permit holders on the map.) Along with The Journal News, the website of RGA Investigations was hacked.

Still confused by the email and its message, I turned to my go-to source for information about data security: a young man with renowned skills as a hacker. I asked him specifically about the Economic Guardian's claims that it had been able to download an Excel spreadsheet of all of the compromised data from a "Swedish hacker website."

In 30 minutes, he had the spreadsheet in hand.

"I was able to obtain the full database, which contains thousands of names, addresses, phone numbers, and email addresses," my source said. "It also has hashed versions of the victim's passwords. A hashed password is a password that is encrypted, so it must be cracked before it can be used. But based on some things I'm reading on the Internet, some of the passwords in the database have already been cracked."

The first hack occurred Jan. 1, so the paper "really should have alerted people" by now, he said.

Why didn't it? Your guess is as good as mine. I'm still trying to get a response from someone at The Journal News. And if the company ever bothers to answer, I'll share whatever it says.

For now, I have work to do. I'm one of those fools who use the same password on multiple sites. Now that my standard password has made it into worldwide hacker databases, I guess it would be a good idea to change it on every site where I have used it.

Noreen Seebacher,

Noreen Seebacher, the Community Editor of Investor Uprising, has been a business journalist for more than 20 years. A New York City based writer and editor, she has worked for numerous print and online publications. Her work has appeared in The New York Times, the New York Post, New York’s Daily News, The Detroit News, and the Pittsburgh Press. She co-edited five newsletters for Real Estate Media’s GlobeSt.com and served as the site's technology editor.

She also championed the commercial real estate beat at The Journal News, a Gannett publication in suburban New York City, and co-founded a Website focused on personal finance. Through her own company, Stasa Media, Noreen has produced reports, whitepapers, and internal publications for a number of Fortune 500 clients. When she's not writing, editing, or Web surfing, she relaxes in an 1875 Victorian with her husband and their five kids, four formerly homeless cats, and a dog.

Big-Data Draws Attention at Interop New York

Even at a trade fair better known for seminars on information technology, big-data was too significant to ignore.

Time to Tame the Meta-Monster

All Analytics readers have serious issues with the data hidden in digital photos.


So bizarre
  • 3/8/2013 10:08:11 AM
NO RATINGS

Hi Noreen. This is one of the oddest stories I've read in a long time! It almost seems as if you received the email about the breach because you'd written about Gannett. Did you get that sense? Or do you think the timing was pure coincidence?

Re: So bizarre
  • 3/8/2013 2:40:27 PM
NO RATINGS

 

Bizarre is a good word for it.

Why wouldn't they notify people who's data has been compromised? Since they have the email list, just sending a prompt email would be the bare minimum.  Publishing an article wouldn't hurt.  They really didn't do so? 

I'm curious to see how they respond to your questions.

PC

Re: So bizarre
  • 3/8/2013 3:02:03 PM
NO RATINGS

I'm really curious, too. Data privacy isn't something to toy around with. In fact, most states have data breach laws in effect that mandate notification when a breach involves personally identifiable information, don't they?

Re: So bizarre
  • 3/8/2013 3:38:58 PM
NO RATINGS

 

Yes, there are notification laws, which vary by state.  The NY state law is AB4254 which was signed in 2005, so this isn't a new issue.

And with data for 10,000 accounts hacked, this breach is a big deal.

PC

Re: So bizarre
  • 3/8/2013 3:46:27 PM
NO RATINGS

You have to wonder why Economic Guardian isn't going to authorities, then, rather than to the "victims." Something doesn't smell right about this whole thing!

Re: So bizarre
  • 3/8/2013 5:35:20 PM
NO RATINGS

@ Noreen, if I'm understanding things correctly, I think a possible reason why the Gannett paper didn't notify anyone, if this did occur, was the paper had already broadcast the information to the world, that the hackers did.  Though one did it legally and the other didn't. 

 

Re: So bizarre
  • 3/8/2013 8:33:23 PM
NO RATINGS

No Seth - that is not it. The hackers exposed login info for the papers website. The paper published the names of gun permit owners.

Re: So bizarre
  • 3/8/2013 9:14:25 PM
NO RATINGS

The only possible explanation I can come up with is that the newspaper was caught without a plan in place to deal with such a case and ignored it hoping it would pass unnoticed. Inaction usually is this is a result of lacking direction. Not too good in this case.

Re: So bizarre
  • 3/9/2013 6:02:10 AM
NO RATINGS

Thanks Noreen. 

While Gannett may have the power to suppress the media, I am a little surprised some other news source didn't broadcast.  Or maybe they have a mutual understanding that one won't report the other. 

I'm wondering what the law says about disclosure on this issue, since this is not a financial institution. 

When I register to comment on a news site, sometimes I use a mock address such as 111 Street St. City, CA USA to prevent junk mail and such. Though rarely I do that because if it is a heated issue, I doubt anyone reads all 300 prior comments, before making a comment of their own. 

 

New York Hack victims
  • 3/10/2013 9:09:15 AM
NO RATINGS

Has anyone in the NY area looked up their names on the database? How do you feel about the theft of your personal information - and more importantly, the newspaper's failure to contact you?

Page 1 / 3   >   >>
INFORMATION RESOURCES
ANALYTICS IN ACTION
CARTERTOONS
VIEW ALL +
QUICK POLL
VIEW ALL +