Just a few hours after I posted a blog that referenced a suburban New York newspaper's decision to publish a map showing the names and addresses of all gun permit holders in two counties, a curious thing happened.
I received an email that warned this newspaper's website had been hacked multiple times -- and that the "personal, private data" of its readers had been distributed worldwide. According to the email, the website of The Journal News, a Gannett newspaper in Westchester County, N.Y., has been hacked four times since it published that map.
And in a stunning apparent reversal of its quest for transparency, the paper has not bothered to notify any of the affected readers -- more than 10,000 of them, to be precise.
The email was interesting, but I probably would have blown it off as spam if it hadn't included some of the data that was breached -- specifically my own name, address, and phone number, which I had provided to the site years ago when I registered to comment on a story.
So now I was intrigued.
The email allegedly came from the Economic Guardian, which claims to publish a financial newsletter that "covers the conservative side of stock market news." I couldn't find a website or any of the Economic Guardian's newsletters. Normally, that would be enough to get me to delete the email. But how did it have my personal information? And what was the point of the email?
Apparently anticipating that most people would wonder the same thing, the email explained that it was simply attempting to do something The Journal News had failed to do: Alert the victims of the data breach.
"To be blunt, we have no idea why the Journal News has not notified you," it stated. "They have left you in jeopardy for over two months."
One hack was acknowledged on the Gannett Blog, a private site operated by a former USA Today editor and reporter who has been blogging about Gannett Co. Inc. since 2007. But the paper itself has been strangely silent. It never notified me that my personal information (including my password) had been compromised. What's worse, I have a personal connection to the paper. I once worked there, covering real estate for its business section.
In fairness, The Journal News has been busy recently. After publishing the gun map, it had to hire RGA Investigations, a security firm, to provide armed guards to protect its buildings and its executives' homes. (I wonder if those guards were among the people identified as permit holders on the map.) Along with The Journal News, the website of RGA Investigations was hacked.
Still confused by the email and its message, I turned to my go-to source for information about data security: a young man with renowned skills as a hacker. I asked him specifically about the Economic Guardian's claims that it had been able to download an Excel spreadsheet of all of the compromised data from a "Swedish hacker website."
In 30 minutes, he had the spreadsheet in hand.
"I was able to obtain the full database, which contains thousands of names, addresses, phone numbers, and email addresses," my source said. "It also has hashed versions of the victim's passwords. A hashed password is a password that is encrypted, so it must be cracked before it can be used. But based on some things I'm reading on the Internet, some of the passwords in the database have already been cracked."
The first hack occurred Jan. 1, so the paper "really should have alerted people" by now, he said.
Why didn't it? Your guess is as good as mine. I'm still trying to get a response from someone at The Journal News. And if the company ever bothers to answer, I'll share whatever it says.
For now, I have work to do. I'm one of those fools who use the same password on multiple sites. Now that my standard password has made it into worldwide hacker databases, I guess it would be a good idea to change it on every site where I have used it.