Possible security breach seen at AOL

America Online Inc. is acknowledging an "issue" that allowed some of its members to gain access to online financial portfolios of other members. But the Internet service provider downplayed the incident, saying no personal identifying information such as usernames or credit card numbers was ever compromised.

"We've heard from a handful of members yesterday who brought it to our attention," AOL spokesman Nicholas Graham said today. "So we've been in the process of looking into what the situation is, and we've taken some immediate corrective steps to address the issue. Although there is no more information, we're working very diligently to provide a resolution to it as soon as possible."

Among those upset by what he called a security breach is Michael Szkaradek, an attorney and Certified Public Accountant in Santa Ana, Calif. Szkaradek spoke with Computerworld yesterday about the incident, which he said occurred when he logged onto AOL's Personal Finance page to check his portfolio and was given another user's portfolio. He said it was the second time in a month he entered his own account information and got a different account.

"I have various portfolios set up so that I can track not only my investments but proposed investments as well, so I signed on last month and I got a completely erroneous set of investments," Szkaradek said.

At the time, Szkaradek said he thought AOL had simply crossed the accounts. Because he has more than one screen name, he assumed the company had taken an old set of portfolios and displayed them on his current one.

"I didn't think it was that big a deal because I figured something just got crossed within my accounts," he said. "But they gave me a way to fix it and then it worked fine."

Then yesterday Szkaradek got someone else's portfolio when he logged onto AOL, and he later supplied Computerworld with screenshots of the other user's portfolio information to back up his story.

"It wasn't even related to me," he said. "It very much shocked me because someone else could be looking at mine, and anybody could be looking at anybody's."

Szkaradek started poking around in the other user's portfolio and decided to add information to that account to let the other person know that AOL had let him access the account. "I told him to give me a call and I gave him my phone number and left my e-mail address," he said. "I didn't try to delete any of his portfolios, but it was clear to me that I could."

Szkaradek said he is furious because AOL doesn't see the problem as a security breach. He said he contacted AOL yesterday and received the following response:

"Thank you for contacting the Personal Finance Channel. My name is Kevin and I'll be assisting you today. Your portfolios are still safely on our servers. There appeared to be an issue with the Portfolios not being recognized for some members. Our programmers have corrected this at this time. I apologize for any inconvenience this may have caused."

But Szkaradek said it wasn't that the system didn't recognize his portfolios; it gave him someone else's portfolios. He considers that a breach of security and promptly fired off an e-mail to AOL.

"In case you haven't discerned this fact from the foregoing, I am furious that: (1) AOL has allowed this latest breach of information security to happen and continue to exist (especially considering the fact that I reported the problem to AOL last month); and (2) that I have had to expend time dealing with it since last month ... when your technical staff obviously hasn't," Szkaradek said in his e-mail.

Szkaradek said he has notified the U.S. Federal Trade Commission about the problem.