Gannett Paper Exposes Gun Owners, Hides Hacks


Just a few hours after I posted a blog that referenced a suburban New York newspaper's decision to publish a map showing the names and addresses of all gun permit holders in two counties, a curious thing happened.

I received an email that warned this newspaper's website had been hacked multiple times -- and that the "personal, private data" of its readers had been distributed worldwide. According to the email, the website of The Journal News, a Gannett newspaper in Westchester County, N.Y., has been hacked four times since it published that map.

And in a stunning apparent reversal of its quest for transparency, the paper has not bothered to notify any of the affected readers -- more than 10,000 of them, to be precise.

The email was interesting, but I probably would have blown it off as spam if it hadn't included some of the data that was breached -- specifically my own name, address, and phone number, which I had provided to the site years ago when I registered to comment on a story.

So now I was intrigued.

The email allegedly came from the Economic Guardian, which claims to publish a financial newsletter that "covers the conservative side of stock market news." I couldn't find a website or any of the Economic Guardian's newsletters. Normally, that would be enough to get me to delete the email. But how did it have my personal information? And what was the point of the email?

Apparently anticipating that most people would wonder the same thing, the email explained that it was simply attempting to do something The Journal News had failed to do: Alert the victims of the data breach.

"To be blunt, we have no idea why the Journal News has not notified you," it stated. "They have left you in jeopardy for over two months."

One hack was acknowledged on the Gannett Blog, a private site operated by a former USA Today editor and reporter who has been blogging about Gannett Co. Inc. since 2007. But the paper itself has been strangely silent. It never notified me that my personal information (including my password) had been compromised. What's worse, I have a personal connection to the paper. I once worked there, covering real estate for its business section.

In fairness, The Journal News has been busy recently. After publishing the gun map, it had to hire RGA Investigations, a security firm, to provide armed guards to protect its buildings and its executives' homes. (I wonder if those guards were among the people identified as permit holders on the map.) Along with The Journal News, the website of RGA Investigations was hacked.

Still confused by the email and its message, I turned to my go-to source for information about data security: a young man with renowned skills as a hacker. I asked him specifically about the Economic Guardian's claims that it had been able to download an Excel spreadsheet of all of the compromised data from a "Swedish hacker website."

In 30 minutes, he had the spreadsheet in hand.

"I was able to obtain the full database, which contains thousands of names, addresses, phone numbers, and email addresses," my source said. "It also has hashed versions of the victim's passwords. A hashed password is a password that is encrypted, so it must be cracked before it can be used. But based on some things I'm reading on the Internet, some of the passwords in the database have already been cracked."

The first hack occurred Jan. 1, so the paper "really should have alerted people" by now, he said.

Why didn't it? Your guess is as good as mine. I'm still trying to get a response from someone at The Journal News. And if the company ever bothers to answer, I'll share whatever it says.

For now, I have work to do. I'm one of those fools who use the same password on multiple sites. Now that my standard password has made it into worldwide hacker databases, I guess it would be a good idea to change it on every site where I have used it.

Noreen Seebacher,

Noreen Seebacher, the Community Editor of Investor Uprising, has been a business journalist for more than 20 years. A New York City based writer and editor, she has worked for numerous print and online publications. Her work has appeared in The New York Times, the New York Post, New York’s Daily News, The Detroit News, and the Pittsburgh Press. She co-edited five newsletters for Real Estate Media’s GlobeSt.com and served as the site's technology editor.

She also championed the commercial real estate beat at The Journal News, a Gannett publication in suburban New York City, and co-founded a Website focused on personal finance. Through her own company, Stasa Media, Noreen has produced reports, whitepapers, and internal publications for a number of Fortune 500 clients. When she's not writing, editing, or Web surfing, she relaxes in an 1875 Victorian with her husband and their five kids, four formerly homeless cats, and a dog.

Big-Data Draws Attention at Interop New York

Even at a trade fair better known for seminars on information technology, big-data was too significant to ignore.

Time to Tame the Meta-Monster

All Analytics readers have serious issues with the data hidden in digital photos.


So bizarre
  • 3/8/2013 10:08:11 AM
NO RATINGS

Hi Noreen. This is one of the oddest stories I've read in a long time! It almost seems as if you received the email about the breach because you'd written about Gannett. Did you get that sense? Or do you think the timing was pure coincidence?

Re: So bizarre
  • 3/8/2013 2:40:27 PM
NO RATINGS

 

Bizarre is a good word for it.

Why wouldn't they notify people who's data has been compromised? Since they have the email list, just sending a prompt email would be the bare minimum.  Publishing an article wouldn't hurt.  They really didn't do so? 

I'm curious to see how they respond to your questions.

PC

Re: So bizarre
  • 3/8/2013 3:02:03 PM
NO RATINGS

I'm really curious, too. Data privacy isn't something to toy around with. In fact, most states have data breach laws in effect that mandate notification when a breach involves personally identifiable information, don't they?

Re: So bizarre
  • 3/8/2013 3:38:58 PM
NO RATINGS

 

Yes, there are notification laws, which vary by state.  The NY state law is AB4254 which was signed in 2005, so this isn't a new issue.

And with data for 10,000 accounts hacked, this breach is a big deal.

PC

Re: So bizarre
  • 3/8/2013 3:46:27 PM
NO RATINGS

You have to wonder why Economic Guardian isn't going to authorities, then, rather than to the "victims." Something doesn't smell right about this whole thing!

Re: So bizarre
  • 3/8/2013 5:35:20 PM
NO RATINGS

@ Noreen, if I'm understanding things correctly, I think a possible reason why the Gannett paper didn't notify anyone, if this did occur, was the paper had already broadcast the information to the world, that the hackers did.  Though one did it legally and the other didn't. 

 

Re: So bizarre
  • 3/8/2013 8:33:23 PM
NO RATINGS

No Seth - that is not it. The hackers exposed login info for the papers website. The paper published the names of gun permit owners.

Re: So bizarre
  • 3/8/2013 9:14:25 PM
NO RATINGS

The only possible explanation I can come up with is that the newspaper was caught without a plan in place to deal with such a case and ignored it hoping it would pass unnoticed. Inaction usually is this is a result of lacking direction. Not too good in this case.

Re: So bizarre
  • 3/9/2013 6:02:10 AM
NO RATINGS

Thanks Noreen. 

While Gannett may have the power to suppress the media, I am a little surprised some other news source didn't broadcast.  Or maybe they have a mutual understanding that one won't report the other. 

I'm wondering what the law says about disclosure on this issue, since this is not a financial institution. 

When I register to comment on a news site, sometimes I use a mock address such as 111 Street St. City, CA USA to prevent junk mail and such. Though rarely I do that because if it is a heated issue, I doubt anyone reads all 300 prior comments, before making a comment of their own. 

 

Re: So bizarre
  • 3/10/2013 6:53:07 PM
NO RATINGS

@Seth, I wouldn't think there'd be anything holding back other media companies from spreading this bad news far and wide about a competitor. Media companies after all have earned nicknames like muckrakers and yellow press, etc.

Re: So bizarre
  • 3/11/2013 7:37:57 AM
NO RATINGS

I'm sure most companies have no qualms sharing bad news about their competitors, especially in such a tough media marketing atmosphere

Re: So bizarre
  • 3/11/2013 11:32:31 PM
NO RATINGS

@Noreen, case in point. Check out how other media outlets have been reporting the spin-off of Time Inc. There is downright giddiness in it. Daniel Gross' smirky countenance in his headshot does not help either.

Re: So bizarre
  • 3/12/2013 7:38:12 AM
NO RATINGS

You're right - good points

New York Hack victims
  • 3/10/2013 9:09:15 AM
NO RATINGS

Has anyone in the NY area looked up their names on the database? How do you feel about the theft of your personal information - and more importantly, the newspaper's failure to contact you?

Re: New York Hack victims
  • 3/10/2013 9:15:31 AM
NO RATINGS

JOURNALISM: Gannett Paper Exposes Gun Owners, Hides Hacks. "To be blunt, we have no idea why the Journal News has not notified you. . . . They have left you in jeopardy for over two months."

Re: New York Hack victims
  • 3/10/2013 9:16:55 AM
NO RATINGS

How are victims of this hack planning to respond?

Re: New York Hack victims
  • 3/10/2013 9:17:48 AM
NO RATINGS

If you want me to check for your name in the database, I will try to do so -- as long as I don't get too many requests.

Re: New York Hack victims
  • 3/10/2013 2:52:03 PM
NO RATINGS

This is really an odd and disturbing story. I realize that no financial data was exposed - or so it seems. But the victims still should have been notified.

Re: New York Hack victims
  • 3/10/2013 5:09:13 PM
NO RATINGS

I agree. Think companies have an obligation to disclose any unauthorized access to data.

Re: New York Hack victims
  • 3/11/2013 8:21:31 AM
NO RATINGS

It seems pretty mysterious and maybe that's wny the paper hasn't yet notified anyone pending trying to figure out just what happened. Maybe the "hacker" got an old employee to provide a list? Maybe it wasn't really a hack but just some social engineering. Who knows at this point, but curious nonetheless.

Re: New York Hack victims
  • 3/11/2013 9:40:13 AM
NO RATINGS

I spoke to some people at the paper over the weekend. We will post a video followup very soon. That should explain some of the issues.

Re: New York Hack victims
  • 3/11/2013 9:51:44 AM
NO RATINGS

Very eager to hear that response!

Re: New York Hack victims
  • 3/11/2013 4:37:22 PM
NO RATINGS

Watch the update here

INFORMATION RESOURCES
ANALYTICS IN ACTION
CARTERTOONS
VIEW ALL +
QUICK POLL
VIEW ALL +