AOL sets new record for (in)security.

IF YOU'VE SEEN an AOL commercial lately, you'll note how much the company loves to flaunt its ground-breaking features and accomplishments. Claims of being the biggest ISP, the most customisable service, the easiest to use, offering the best features, etc, are all common themes of AOL advertising, ending with the company's slogan: "So easy to use, no wonder its #1."

AOL can now add another accomplishment to its list: "Biggest security disaster in ISP history". That's the inherent problem with being the world's largest ISP—when you screw things up, you tend to really screw them up—for lots of people. In this particular case, hackers have compromised security at AOL to such a degree that the personal information of all 35 million subscribers may be compromised. That's definitely a feat to put on the next commercials for AOL 9.0. Hackers have gained access to Merlin (AOL's customer database application) despite the fact that the system requires a user ID, two passwords, and a specialized ID code to gain access.

If AOL can't patch the holes and verify the data of its users, the company could find itself in real trouble. A database of 35 million credit cards is a gold mine too good to pass up, but those same customers will vanish if they feel AOL can't protect their data.

In this case, AOL's unique structure could prove a real detriment. The company has made a considerable niche for itself by offering the Internet in a pre-packaged, easy-to-surf form for those who aren't so computer literate. Though sneered at by most techies, AOL has been the gateway through which many people first explored the 'net, and remains a valuable service for certain groups of people. At the same time, however, these are the exact people who are most vulnerable to attack. You won't find many AOL members running firewall software or taking steps to encrypt their own personal information. This puts even more of a burden on AOL than on the average ISP to ensure that their servers are secure—a burden the company is obviously dropping badly.

America Online has been going through a very difficult time lately, and has announced its intent to focus on other measurements of growth rather than the number of subscribers it has. A true stroke of genius. Charging a price premium for a premium service is a perfectly acceptable business practice, but that assumes the service is worth paying for. Now, more than ever, AOL needs to offer its users and potential users proof that the company is stable, the service is secure, and the premium features offered by AOL itself are worth the extra per-monthly fees paid to gain them over a standard ISP.

Unless the company's goal is to establish such an awful security reputation for itself that any step is an improvement, this isn't the best way to go about creating that kind of reputation. It might be a good idea to hire a security chief whose idea of protected data isn't locking the computers in a room. µ