AOL apologizes for exposing search data

By Bill Brenner, Senior News Writer 08 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

"This was a screw up, and we're angry and upset about it," AOL spokesperson Andrew Weinstein said in a statement. "It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted. If it had been, it would have been stopped in an instant."

He said AOL has launched an internal investigation into what happened and will taking steps to ensure "this type of thing never happens again." He said search the data, gathered from March to May, was released 10 days ago on the company's publicly accessible research Web site. There was no personally identifiable data provided by AOL with those records, Weinstein said, but search queries themselves can sometimes include such information.

AOL is taking heavy criticism following the information release. In light of all the high-profile data breach cases in the last year and a half that have heightened identity fraud fears, critics said AOL should have known better.

"The utter stupidity of this is staggering," blogger Michael Arrington wrote on his Techcrunch site. "AOL has released very private data about its users without their permission."

While the data displays random ID numbers in place of each user's AOL username, Arrington said, "the ability to analyze all searches by a single user will often lead people to easily determine who the user is and what they are up to. The data includes personal names, addresses, Social Security numbers and everything else someone might type into a search box."

The Planet Potato blog offered similar criticism. "[ISPs and telecom companies] always try and placate the masses by saying that [data] will be adequately protected," the blog said. "It never is and is invariably abused by whomever has least interest or knowledge in protecting the data."

Tags: Identity Theft and Data Security Breaches,  Information Security Incident Response,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary