Privacy breaches put IT chiefs in peril

IT managers for AOL and the Australian government may have had some sleepless nights last month

August wasn’t a good month for promoting the security of personal data, as various big names were hit by problems.

AOL was in the headlines for a breach of data privacy. It inadvertently exposed the search histories of more than 650,000 users, whose data became widely available across the internet. Though AOL stressed that the information did not include personal details, a US newspaper swiftly identified one subscriber by analysing the available search terms.

The situation led to a heated debate over the amount and type of personal data that firms are storing, and should be allowed to retain. Following the debacle, AOL’s chief technology officer and two other staff parted ways with the company.

HSBC also came under the spotlight last month, after Cardiff University researchers announced they had found a way to circumvent the online bank’s log-in system. They said hackers could use keylogging software installed on a third-party PC to collect the log-in data required to access a victim’s bank account within a few attempts. HSBC’s reliance on a numeric-only passcode, and the fact that it doesn’t always change the three digits requested at log-in, made its system vulnerable, the researchers warned.

HSBC argued that such attacks are very unlikely as it would be a laborious process for a hacker to go through to access just one bank account. But as an HSBC customer, I wasn’t particularly surprised by news of the flaw. I’ve used its web banking facility for many years, and have never been required to change my passcode or been advised to update it.

Though HSBC played down the potential for hacking, I’m sure the bank’s customers would prefer to see any potential problem taken very seriously, even if there’s only a slight chance that any one of us would be affected.

It wasn’t only private companies in the news, though, as reports emerged last month that 600 Australian government staff had been routinely searching the national identity card system to look up details of friends and family or possibly to enable identity thefts. Almost 800 security breaches later, police are investigating five employees at the Centrelink government agency, 19 have been sacked and 92 others have resigned.

While HSBC was fortunate that the weakness in its system was exposed before it was exploited, AOL and the Australian government could not brush off their problems so easily.

I’m sure the UK government could learn a few important lessons about the need to secure its planned identity card system to avoid similar problems here. And the situation at AOL will remind IT chiefs that if problems occur, the buck could well rest with them.