Gannett Paper Exposes Gun Owners, Hides Hacks

Just a few hours after I posted a blog that referenced a suburban New York newspaper's decision to publish a map showing the names and addresses of all gun permit holders in two counties, a curious thing happened.

I received an email that warned this newspaper's website had been hacked multiple times -- and that the "personal, private data" of its readers had been distributed worldwide. According to the email, the website of The Journal News, a Gannett newspaper in Westchester County, N.Y., has been hacked four times since it published that map.

And in a stunning apparent reversal of its quest for transparency, the paper has not bothered to notify any of the affected readers -- more than 10,000 of them, to be precise.

The email was interesting, but I probably would have blown it off as spam if it hadn't included some of the data that was breached -- specifically my own name, address, and phone number, which I had provided to the site years ago when I registered to comment on a story.

So now I was intrigued.

The email allegedly came from the Economic Guardian, which claims to publish a financial newsletter that "covers the conservative side of stock market news." I couldn't find a website or any of the Economic Guardian's newsletters. Normally, that would be enough to get me to delete the email. But how did it have my personal information? And what was the point of the email?

Apparently anticipating that most people would wonder the same thing, the email explained that it was simply attempting to do something The Journal News had failed to do: Alert the victims of the data breach.

"To be blunt, we have no idea why the Journal News has not notified you," it stated. "They have left you in jeopardy for over two months."

One hack was acknowledged on the Gannett Blog, a private site operated by a former USA Today editor and reporter who has been blogging about Gannett Co. Inc. since 2007. But the paper itself has been strangely silent. It never notified me that my personal information (including my password) had been compromised. What's worse, I have a personal connection to the paper. I once worked there, covering real estate for its business section.

In fairness, The Journal News has been busy recently. After publishing the gun map, it had to hire RGA Investigations, a security firm, to provide armed guards to protect its buildings and its executives' homes. (I wonder if those guards were among the people identified as permit holders on the map.) Along with The Journal News, the website of RGA Investigations was hacked.

Still confused by the email and its message, I turned to my go-to source for information about data security: a young man with renowned skills as a hacker. I asked him specifically about the Economic Guardian's claims that it had been able to download an Excel spreadsheet of all of the compromised data from a "Swedish hacker website."

In 30 minutes, he had the spreadsheet in hand.

"I was able to obtain the full database, which contains thousands of names, addresses, phone numbers, and email addresses," my source said. "It also has hashed versions of the victim's passwords. A hashed password is a password that is encrypted, so it must be cracked before it can be used. But based on some things I'm reading on the Internet, some of the passwords in the database have already been cracked."

The first hack occurred Jan. 1, so the paper "really should have alerted people" by now, he said.

Why didn't it? Your guess is as good as mine. I'm still trying to get a response from someone at The Journal News. And if the company ever bothers to answer, I'll share whatever it says.

For now, I have work to do. I'm one of those fools who use the same password on multiple sites. Now that my standard password has made it into worldwide hacker databases, I guess it would be a good idea to change it on every site where I have used it.

Noreen Seebacher,

Noreen Seebacher, the Community Editor of Investor Uprising, has been a business journalist for more than 20 years. A New York City based writer and editor, she has worked for numerous print and online publications. Her work has appeared in The New York Times, the New York Post, New York’s Daily News, The Detroit News, and the Pittsburgh Press. She co-edited five newsletters for Real Estate Media’s and served as the site's technology editor.

She also championed the commercial real estate beat at The Journal News, a Gannett publication in suburban New York City, and co-founded a Website focused on personal finance. Through her own company, Stasa Media, Noreen has produced reports, whitepapers, and internal publications for a number of Fortune 500 clients. When she's not writing, editing, or Web surfing, she relaxes in an 1875 Victorian with her husband and their five kids, four formerly homeless cats, and a dog.

Big-Data Draws Attention at Interop New York

Even at a trade fair better known for seminars on information technology, big-data was too significant to ignore.

Time to Tame the Meta-Monster

All Analytics readers have serious issues with the data hidden in digital photos.

Re: So bizarre
  • 3/8/2013 3:38:58 PM


Yes, there are notification laws, which vary by state.  The NY state law is AB4254 which was signed in 2005, so this isn't a new issue.

And with data for 10,000 accounts hacked, this breach is a big deal.


Re: So bizarre
  • 3/8/2013 3:02:03 PM

I'm really curious, too. Data privacy isn't something to toy around with. In fact, most states have data breach laws in effect that mandate notification when a breach involves personally identifiable information, don't they?

Re: So bizarre
  • 3/8/2013 2:40:27 PM


Bizarre is a good word for it.

Why wouldn't they notify people who's data has been compromised? Since they have the email list, just sending a prompt email would be the bare minimum.  Publishing an article wouldn't hurt.  They really didn't do so? 

I'm curious to see how they respond to your questions.


So bizarre
  • 3/8/2013 10:08:11 AM

Hi Noreen. This is one of the oddest stories I've read in a long time! It almost seems as if you received the email about the breach because you'd written about Gannett. Did you get that sense? Or do you think the timing was pure coincidence?

<<   <   Page 3 / 3