Yahoo plugs security breach
Order information and addresses were revealed on a demo site of one of the portal's e-commerce partners. Yahoo blames a software glitch, and says the information is no longer exposed.
Yahoo Store producer Paul Graham said the breach was a software bug that Yahoo fixed as soon as it was notified by CNET News.com. Graham said that all software contains bugs and "it would be na?ve to promise that there'll be no bugs in the future."
"All I can really say is we do care a great deal about privacy," Graham said.
The incident comes as Rep. Edward Markey (D-Massachusetts) prepares to introduce a bill to regulate the use of personal data on the Internet, and as privacy advocates meet in Washington at the Computers, Freedom and Privacy conference.
The information was exposed on a demo site targeted at potential tenants of Yahoo Store. The demo site included customer data from Vitanet, a nutritional-supplement vendor. Included in the exposed order data were partial credit card numbers, products ordered, amounts spent, and a link to a map. The map link went to Yahoo Maps and gave customers' street addresses and a map of their surrounding area. The products ordered and amount spent are still on the site, but can no longer be linked to customers' addresses.
The demo site was easily accessible by going to the Store area from the More Yahoo page. The Store page offers visitors a test drive, which takes users to the "tracking tools" of the demo site. Through the tracking tools, visitors could access individual customer orders.
Although the order data did not include customer names or phone numbers, that information can be easily obtained though reverse lookup directories such as Infospace or Excite People Finder.
Graham said that although the link to customers' addresses had been up for "several weeks," no one at the company was aware of the glitch. Graham added that no one complained to the company about it.
"If someone had had a problem, they would have complained about it to us and we would have jumped right on it," Graham said.
Sandy Davidson, communications law professor at the University of Missouri's journalism school, said the taking of order information and using it for the demo site violated the principle that "information turned over for one use shouldn't be used for another purpose without consent."
Davidson said it is "disturbing" that the demo site provided customer addresses and involved nutritional product orders.
"Nutritional information is getting darn close to medical information, and medical information is the hallmark of privacy," Davidson said.
Vitanet owner Mark Kowalski said Vitanet has been a Yahoo Store tenant since August 1996 and has allowed its order information to be used for the demo site for at least a year. However, he said he was unaware that the demo site provided links to customer addresses and included partial credit card numbers.
"I had no knowledge that that was happening," Kowalski said. "It was probably an oversight, because I wouldn't want it up there."
Kowalski said he has some 20,000 customers. According to the order information, Vitanet has received about 14,700 orders for its products since September 1996. Although Vitanet's store site includes no privacy statement, Kowalski said he doesn't give out personal information.
"That is my policy, even though we don't have a statement on there," Kowalski said.
Jeff Scott of Charlotte was among those whose addresses and orders were exposed by Yahoo. An order he placed on Tuesday provided links to both his work address and his home address, and gave the type of credit card he used and the partial credit card number.
Scott said he often orders merchandise online and he was upset that his order information was made public.
"I generally expect it to be held private within the company itself," Scott said.