15 Worst Internet Privacy Scandals of All Time

8. Patient Data Exposed

In March 2011, California-based insurer HealthNet announced a privacy breach for nearly 2 million of its customers, exposing their names, addresses, Social Security numbers, health and financial data. The data were unencrypted and stored on hard drives that have gone missing from contractor IBM's data center. A nationwide class action suit was filed against HealthNet and IBM as a result of this incident. It was HealthNet's second big data breach in two years, having lost the Social Security numbers of 1.5 million policyholders stored on a hard drive in 2009. HealthNet isn't the only healthcare provider to lose private medical data or inadvertently post it online. The U.S. Department of Health and Human Services says personal medical data for more than 11 million people have been exposed online in the last two years.

9. Behavior Targeting is Targeted

A new area of concern for privacy advocates is behavioral targeting by online advertising services. These services create behavioral profiles based on anonymous data of how computer users surf the web and then serve up targeted ads based on these profiles. The FTC ruled in 2009 that these services must provide consumers with notice about the collecting of behavioral data and provide them with the ability to opt out. In March 2011, the FTC reached its first behavioral profiling settlement with advertising network Chitika for deceptive opt-out practices. Chitika said it mistakenly programmed the opt-out setting for 10 days, instead of the intended 10 years.

10. iPhone Tracking

Apple received so much criticism about how its iPhones and iPads were collecting and storing user location data that then-CEO Steve Jobs made a rare apology in April 2011. Jobs conceded Apple's mistakes in dealing with the location data after security researchers discovered an unencrypted file inside the devices contained a cache of locations visited over the last 12 months. Jobs emphasized that Apple was not tracking its customers: "Never have. Never will," he said, in response to the criticism from Congress and others. Apple provided a free software update to users to fix the glitch. But that wasn't the last time that location data gathered by mobile devices from Wi-Fi hotspots has come under fire. Google and Microsoft later admitted that they store the same kind of user location data on their mobile operating systems, too. (Read "Rating apologies.")

11. PlayStation Network Hacked

Also in April 2011, Sony announced that hackers had stolen personal data from 77 million PlayStation subscribers. Although this was a security breach of Sony's PlayStation Network, the privacy implications were significant given that the intruder had stolen names, addresses, email addresses and birthdates for so many customers. Sony said it was unclear whether credit card data was stolen, and it warned customers to be on the lookout for identity theft. Security experts said the Sony privacy breach was one of the largest on record. Sony estimated that the incident cost the company $171 million to rebuild its computers and purchase credit protection services for its customers.

12. Disney Violates Kid Data Rule

U.S. Web sites that target children for subscriptions or sales must comply with special rules aimed at gathering permission from parents under the Children's Online Privacy Protection Act (COPPA). In May, 2011, Disney's Playdom, Inc. had the dubious honor of paying the largest-ever COPPA fine, which was a $3 million civil penalty from the FTC for gathering and sharing personal information about hundreds of thousands of children without parental consent. Playdom, which runs the popular Pony Stars site, collected kids' ages and email addresses and allowed them to post their full names and locations. Other sites that have run afoul of COPPA rules include blogging outlet Xanga.com and mobile app developer Broken Thumbs.

13. Carrier IQ

The year 2011 closed out with another privacy-oriented brouhaha, this time surrounding Carrier IQ, which sells analytics software for mobile devices. The software is used in an estimated 142 million smartphones. A systems analyst/amateur security researcher discovered this software on his smartphone, and found that it was capturing battery life, connections, text messages, emails and other actions. A slew of accusations followed, with Carrier IQ and its carrier customers being taken to task for allegedly keylogging, spying and tracking. But more detailed analysis by other professional security researchers found that the systems analyst who originally raised the issue was confusing Carrier IQ's actions with those of debug statements mistakenly left in the Android code by phone maker HTC's programmers. As it turns out, Carrier IQ was simply collecting performance data for optimizing the end users' experience. Nevertheless, the original discovery prompted Sprint and HTC to reportedly no longer include the Carrier IQ software on their devices.

14. GM to Sell Vehicle Data

General Motors has run into privacy issues with its OnStar GPS-based system, which may continue to track vehicles even after a customer cancels the service. General Motors changed its OnStar privacy policy in December 2011, indicating that it reserves the right to share data it has collected - such as a vehicle's speed, location, odometer reading, seat belt usage and airbag deployment - with other companies. This is true even for customers who have cancelled the OnStar service unless they explicitly ask for the two-way communications link to be disabled. General Motors says the data would be anonymous and aggregated before being sold. Vehicle-based telematics systems like OnStar are an emerging area for privacy concerns, with new worries about the possibility of misuse of data.

15. Voicemail Hacking

One of the biggest stories of 2011 was the shuttering of News Corps' weekly U.K. publication, News of the World, as the result of widespread hacking of the mobile voicemail accounts of politicians, celebrities and crime victims in the pursuit of stories by the tabloid publication. Investigations of this illegal behavior are ongoing, but have already led to several high-profile arrests and resignations of News Corps executives. Reporters apparently hacked into the voicemail accounts by using the default PINs that shipped with the phones.

(Thanks to the Center for Democracy and Technology, the Electronic Frontier Foundation and the online privacy service provider TRUSTe for helping with this article.)

Read more about wide area network in Network World's Wide Area Network section.

Subscribe to the Security Watch Newsletter

Comments