"This was a screw up, and we are angry and upset about it," AOL spokesperson Andrew Weinstein said in a statement. "It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted. If it had been, it would have been stopped in an instant."
He said AOL had launched an internal investigation into what happened and will be taking steps to ensure "this type of thing never happens again." He said the search data, gathered from March to May, was released 10 days ago on the company's publicly-accessible research website. There was no personally identifiable data provided by AOL with those records, Weinstein said, but search queries themselves can sometimes include such information.
AOL is taking heavy criticism following the information release. In light of all the high-profile data breach cases in the last year and a half that have heightened identity fraud fears, critics said AOL should have known better.
"The utter stupidity of this is staggering," blogger Michael Arrington wrote on his Techcrunch site. "AOL has released very private data about its users without their permission."
While the data displays random ID numbers in place of each user's AOL username, Arrington said, "the ability to analyse all searches by a single user will often lead people to easily determine who the user is and what they are up to. The data includes personal names, addresses, Social Security numbers and everything else someone might type into a search box."
The Planet Potato blog offered similar criticism. "[ISPs and telecom companies] always try and placate the masses by saying that [data] will be adequately protected," the blog said. "It never is and is invariably abused by whomever has least interest or knowledge in protecting the data."