AOL and US government expose personal data

Confidential information on more than half a million people has been leaked

Two high-profile breaches of data security this week have highlighted the need for rigorous security and processes to help firms avoid bad publicity that could harm brands and lose customers.

Just a day after two men were charged with stealing a laptop containing sensitive data from the home of an employee of the US Department of Veteran Affairs, the department this week announced that another computer had gone missing, this time from a subcontractor's office.

The desktop computer reportedly contained information on up to 38,000 veterans including names, social security numbers, dates of birth and insurance details.

Meanwhile AOL apologised after it mistakenly released data from its search logs on more than 600,000 customers' search habits. The data was intended to be used on the firm's recently launched AOL Research site, and although the usernames were changed to random identification numbers, privacy activists complained that individuals could be identified if their search strings were viewed.

To help firms reduce the risk of exposing such data, analyst firm Gartner has suggested best practices to prevent information leaks. Research vice-president Rich Mogull said companies should deploy content monitoring and filtering tools for all outbound traffic, including email, instant messaging and web mail; and back-up tapes and laptops should be encrypted in case they are lost or stolen.

Mogull added that firms should ensure all workstations are kept up to date with anti-spyware protection and the latest patches; and portable storage media should be locked down.

Marc Shinbrood, chief executive of web application security vendor Breach Security, said the biggest risk to firms is not that they will lose intellectual property or break the law, but that they will suffer bad publicity, which could damage their brands and undermine customers’ trust.

“Legal compliance is a necessary evil but it isn’t the driving force for security,” Shinbrood said. “If you talk to [IT security chiefs] their job is to keep the company off the front page of the Wall Street Journal, or from appearing in front of a government regulatory committee, or having their customers doubting whether they should do business with them.”