AOL's chief technology officer is stepping down and the firm hasfired two other people following last month's massive data breachthat caused more than 36 million member search queries to bereleased on the Internet, according to an internal memo and a sourcefamiliar with the matter.
In addition, the company has begun notifying dozens ofindividuals whose Social Security or credit card numbers were partof the exposed data, said the source, an employee who spoke on thecondition of anonymity because it involved a personnel issue. Thedata came from 658,000 members who used AOL's search engine betweenMarch and May.
The news comes as AOL's profits have been falling and thecompany, in an effort to reverse its fortunes, is eliminatingsubscriptions and focusing more on advertising revenue. MaureenGovern, whose division was responsible for the breach, decided toleave immediately, according to an in-house announcement by AOLchief executive Jonathan F. Miller. The individuals fired were theresearcher who posted the data and the researcher's supervisor, thesource said.
"After the great lengths we've taken to build our members' trustand be an industry leader on privacy, it was disheartening to see somuch good work destroyed by a single act," Miller said in a separatecompany memo. "This incident took place because some employees didnot exercise good judgment or review their proposal with our privacyteam."
Miller said AOL also will set up a task force to reconsider howlong it saves data, including search terms such as those disclosedlast month on an AOL Web site intended for academics who study howpeople search the Internet. The firm also will further restrictinternal access to search data and other "potentially sensitive"member data, even if it is made anonymous with a randomidentification numbers or not linked to an individual's account, thememo said.
Andrew Weinstein, an AOL spokesman, said that data held in auser's name are stored for 30 days. Anonymous data are keptindefinitely.
Last week, Weinstein said the company had no way to link suchdata to an individual because the firm "double scrambles" IDinformation -- first giving each member a random identificationnumber and then assigning that number a new one.
AOL has asked credit card companies to notify those individualswhose card numbers appeared in search queries, according to thesource, who declined to explain how the firm was identifying peoplebased on Social Security numbers.
"There are mechanisms to help notify people," the source said.
Kevin Bankston, staff attorney at the Electronic FrontierFoundation, said notifying members whose data was posted was "theright thing to do," but AOL should go further and notify as manymembers as possible whose data was made public.
"I don't think any personnel changes at any particular companyare going to get at the root of the problem, which is that . . .these companies, whether it's AOL, MSN, Yahoo or Google, arestorehousing massive amounts of incredibly sensitive and intimatedata about their customers or users and yet those users have littleidea that this is being done," Bankston said.
The advocacy group has filed a complaint against AOL with theFederal Trade Commission, alleging deceptive practices and violationof the firm's privacy policy.
The company said it was developing new systems to ensure thatsensitive information was not included in research databases, andwould launch a program to educate employees on how to protectsensitive information and address privacy issues.
Govern, hired in September, will be replaced by the firm's formertechnology officer, John McKinley.
Staff researcher Richard Drezen contributed to this report.
No comments:
Post a Comment