Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Corporate Privacy Disasters'

Vignettes of Corporate Privacy Disasters

Roger Clarke **

Revision of 15 March 2018

© Xamax Consultancy Pty Ltd, 2006-18

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at


Handling privacy badly can do a corporation damage. This page provides a few selected vignettes, showing instances of negative impacts on corporations resulting from bad behaviour.

This document is not in any way a census of all of the large number of privacy disasters that have been pepetrated by corporations. It's just a sample, and it's only updated occasionally. Feel free to send me information and URLs relating to other significant cock-ups.

This page contains the following vignettes:

Lotus Marketplace: Households - 1990-91

In April 1990, the then very successful Lotus Corp., in a joint venture with Equifax, developed a product called Lotus MarketPlace: Households - a CD-ROM containing a vast array of consumer data. Consumer protest killed it in January 1991 (Culnan 1991, Culnan & Smith 1995, Gurak 1997).

Intel's Processor Serial Number - 1999-2000

In 1999, Intel announced that it would include a unique Processor Serial Number (PSN) in its new generation of chips. The PSN's purposes included to identify eCommerce customers.

A movement was quickly developed by Electronic Privacy Information Center (EPIC), JunkBusters and Privacy International. Spoofing Intel's 'Intel Inside' advertising campaign, it used the slogan 'Big Brother Inside'.

The company released some batches of chips into the field, but resistance grew even stronger, and much broader, even including the Chinese Government (Guangming 1999). In April 2000, the company announced that it was dropping the feature (McCullagh 2000).

Doubleclick - 1999-2000

Doubleclick's stock price suffered badly following revelations about its privacy-invasive practices. It was forced to abandon its plans to consolidate personal data with the clickstream data it collected online, surreptitiously and without consent (Fields & Cohen 2003).

Eli Lilly - 2001-02

Pharmaceutical company Eli Lilly manufactures the anti-depressant medication Prozac. On 27 July 2001, an auto-generated e-mail message included all of the recipients' e-mail addresses within the To: line of the message, thereby disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.

The blunder attracted media attention out of all apparent proportion to its small scale, because of the extreme sensitivity of the information disclosed. An ACLU complaint forced the FTC to find against the company (FTC 2002a).

Microsoft - 2002

As Microsoft sought to hold off gathering storms surrounding the insecurity of Windows and Office, EPIC and others forced the FTC's hand in relation to another set of the company's products.

The company was found by the FTC to have falsely represented that it employed adequate security measures in relation to its Passport and Passport Wallet services (FTC 2002b).

Benetton - 2003

On 12 March 2003, Benetton and Philips Electronics jointly announced that RFID chips were to be installed in its Sisley clothing line. RFID tags enable tracking not only along the supply chain (which all parties are enthusiastic about), but also in and beyond the retail outlet. (RFID 2003. Both Benetton and Philips appear to have later withdrawn the Media Release from their sites).

The consumer action group, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), immediately launched a Boycott Benetton campaign. On 4 April 2003, Benetton publicly retreated from its plans (Batista 2003).

ChoicePoint - 2004-07

"In October 2004, ChoicePoint, an Atlanta-based data services provider, discovered it mistakenly issued user accounts to Nigerians posing as a legitimate small business. The scammers potentially gained access to some 140,000 consumer records in ChoicePoint's system. ...

"By February 2005, ChoicePoint's name was splattered across the press in the first of many -- and more serious -- breaches to be revealed under newly adopted state disclosure laws. ...

"The market cap of ChoicePoint ... dropped 22% in the ensuing three months ... Until then, ChoicePoint had been growing its business at a healthy rate of more than 10% a year, but suddenly it became a household term associated with identity theft." ... (all above quotes from Gartner 2006).

A review of the debacle, written for corporate executives such as Chief Information Security Officers, is in Scalet (2005). The company was allowed to settle its liabilities at federal level with $US 15 million in penalties (FTC 2006). A later settlement with the States added a further $0.5 million to the penalties - although the legal costs would have been higher than that of course, and the negative publicity much more significant.

The impact was not felt only by the company concerned: "The U.S. Congress convened hearings on the data brokerage and credit industry's practices in managing sensitive customer data." (Gartner 2006)

Google - 2004-

Since 2004, Google has come under increasing fire from privacy activists. The first major salvo related to its Gmail service (PRC 2004). The inherently privacy-intrusive nature of many of Google's services have been exacerbated by the company's cavalier attitudes, by the freedoms it grants itself through its privacy policy statements, and by its evident intention to cross-link the data from its many businesses by means of its imposition of a single identifier on each user (Clarke 2006).

To date Google has successfully exploited its status as a successful investment and its 'do no evil' mantra as shields against sceptical questioning from journalists. The honeymoon won't last forever.

Sony BMG - 2005-07

In 2005, Sony BMG was discovered to have published millions of CDs that installed a rootkit. (A rootkit is malware that circumvents normal protections in order to enable user-hostile functions to be performed without detection).

When it was caught out, the company issued misleading statements. It then released patches to uninstall the rootkit, but in doing so it exposed users to an even more serious vulnerability. The company eventually recalled the CDs (Schneier 2005). See also Groklaw 2005-11.

Lengthy criminal investigations were undertaken, the majority of US States litigated, and class-action lawsuits were also brought against the company in both the USA and Canada. The saga cost the company many millions, but also a lot of executive time and a great deal of consumer goodwill.

Hewlett-Packard - 2006

In 2006, senior executives of Hewlett-Packard were deeply implicated in "questionable, and perhaps illegal, subterfuge to obtain phone records of [its own] directors and journalists". It resulted in a U.S. House of Representative Committee writing a letter to the company expressing serious concern about the company using pretexting and data brokers, and initiating Hearings (HoR 2006).

This led to the early departure of the CEO, and forced the company to issue "a statement full of apologies and attempts to restore good relations" (Darlin 2006).

The affair added further fuel to the blaze of publicity about the lack of credibility of the Boards and senior executives of major American corporations. And the inability of the courts to enforce criminal charges undermined the credibility of the law. But HP still paid the state of California $14.5 million in penalties.

Unsolicited Telephone Calls - 2003-

Faced with an ongoing consumer revolt over unsolicited telephone calls, the US Congress finally passed the Do-Not-Call Implementation Act in March 2003. By the end of the first month of peration in October 2003, over 50 million numbers had been signed up with the US National Do-Not-Call Register, in the expectation that this would prevent marketing calls. That count more than doubled by the end of 2005. Surveys suggest about 75% of the US private subscriber-based has registered.

Some segments of business have made strenuous attempts to have the legislation overturned (but it was found by the courts to be constitutional), and to create loopholes in the Act (so far without success).

As early as November 2003, the FCC proposed to fine AT&T $780,000 for calls to 29 consumers on 78 separate occasions after those consumers had requested that AT&T not call them again (FCC 2003). Miscreants during 2004-05 included American Express, and Dynasty Mortgage which committed 70 violations @ $11,000 each (FCC 2007).

During 2006, DirecTV, a major supplier of satellite TVwas fined $100,000, a commercial book club, a Doubleday affiliate, forfeited $680,000, and Credit Foundation of America paid nearly $1 million for making deceptive prerecorded calls (Smith 2007).

Regulatory action is hotting up in spam and spyware as well, with the FTC forcing companies that install spyware on unsuspecting users' computers to forfeit more than $6.5 million (Smith 2007).

Inadequate Information Security - 2007

The UK Financial Services Authority (FSA) fined Nationwide Building Society [[sterling]]980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year" (FSA 2007).

Information Security Breach Notification Laws - 2003-

In the early 2000s, there was a long succession of media stories about leaks of personal data from company databases, primarily in the USA. For one example, see ChoicePoint above. Many involved credit-card details and other data useful for identity fraud. The US Government added fuel to that particular fire by referring to the risks as being to 'identity theft' (whose consequences are severe, but which is uncommon) rather than 'identity fraud' (which has been commonplace for years, long before the Internet, and indeed long before the intrinsically insecure credit-card facility was invented).

There is evidence that these breaches impact share prices, although usually less spectacularly than occurred with ChoicePoint (Campbell et al. 2003, Telang & Wattal 2005, Acquisti et al. 2006). Despite that evidence, however, many corporations and industry associations fail to take appropriate actions to improve the security of personal data.

The Californian legislature responded in 2003, by passing a Security Breach Notification Law (originally SB 1386, which can be found in California Civil Code Sections 1798.29 and 1798.82). This requires that California consumers be notified when sensitive personal data about them is illegitimately obtained from a server or database (Givens 2003).

"To September 2006, ..., 34 states have passed information breach notification laws similar to California's" (Gartner 2006). The ripple effect has not been restricted to the USA, with the Australian Privacy Commissioner announcing that she was recommending that such a law be passed in Australia (Miller 2006).

FaceBook - 2004-2012

A form of web-site emerged around 2003-04 referred to generically as 'social networking services' (SNS). From the very beginning, SNS have been blatantly exploitative of personal data. My initial criticisms at the beginning of 2004 focussed on an early leader in the emergent marketplace, Plaxo.

During the next few years, market dominance in many countries was achieved instead by Facebook. This had been launched by Mark Zuckerberg in early 2004, within Harvard University, but was widely available by mid-2004. It enjoyed explosive growth during the following years, with traffic volumes catching up with Google's by the end of 2009. Its advertising revenue grew progressively, and it was also reported as achieving profitability from about the end of 2009.

The service has always exposed some of each user's profile-data, but the nature and extent of the exposure has kept growing. In late 2006, Facebook imposed new features on users without prior notice, let alone consent. One example that gave rise to substantial negative feedback from users was the auto-publication of changes to users' profiles to all of their friends. Many users were unhappy about Facebook's right to disclose users' data to other companies ("We may share your information with third parties, including responsible companies with which we have a relationship"). Reports suggested that user-pressure resulted in the clause being removed from the company's privacy policy in the revision of November 2008.

Many other concerns have existed throughout Facebook's life, such as non-conservative default settings, inadequate granularity in the privacy settings, complex and unhelpful user interfaces for managing privacy settings, and unannounced, arbitrary changes variously to privacy settings, the user interfaces whereby they can be managed, and the effects of the settings that users have already chosen. Also of concern has been the lack of clarity about whether and how data can actually be deleted.

In September 2007, Facebook began allowing non-members to search for users, with the intent of opening limited 'public profiles' up to search engines such as Google. This was also implemented non-consensually. And in late 2007, a feature called Beacon was added, enabling third-party websites (particularly commercial sites) to gather data about users and pass it to Facebook, for automatic publication. The company's responses to criticisms and requests for change, rather than dissipating concerns, added to them. In due course, Facebook was forced by a class-action lawsuit to abandon the beacon program in November 2009 and pay a $US 9.5 million settlement (Guynn 2010).

In mid-2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) lodged a 35-page complaint with the Canadian Privacy Commissioner. The Commissioner's Report supported some of the heads of complaint (PCC 2009). Facebook agreed to comply with some, but not all, of the Commissioner's recommendations. However, an analysis of the changes that Facebook actually made suggested that the company had subverted the intention (Bankston 2009).

In late 2009, privacy controls for the News Feed and Mini Feed were removed, making it impossible for users to exercise control over the activities published on their walls and flushed out to the public news feed. Then, in December 2009, Facebook unilaterally declared particular information, including 'lists of friends', to be "publicly available", with no privacy setting. Apart from breaching prior undertakings to users, this created physical danger for those who lived in countries subject to repressive regimes. This gave rise to a wave of criticism (Jones 2009), including from EFF, ACLU and EPIC, and closure and suspension of Facebook pages by a variety of commentators. It also resulted in a further investigation by the Canadian Privacy Commissioner. Again, Zuckerberg sought to brazen his way through it. One of his reported epithets was "the default is social".

During 2010, things have not gone well for the reputations of Facebook and its founder. In January 2010, Kirkpatrick (2010) attributed to Zuckerberg the statement that "if [I] were to create Facebook again today, user information would by default be public". Then in March, Carlson (2010a) made serious accusations about unethical behaviour by Zuckerberg during the foundation phase of the service in early 2004.

In late April, Opsahl (2010) documented the successive changes in Facebook's privacy policies, and summarised the story this way: "Since its incorporation ..., Facebook has undergone a remarkable transformation. When it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target ads". The same day, a report was published that attributed to a Facebook employee the statement "[Zuck] doesn't believe in [privacy]" (Van Buskirk 2010).

In May, a Wired headline declared 'Facebook's Gone Rogue' (Singel 2010). Then it was widely reported that Zuckerberg had explained to a friend in 2004 that people submitted personal data to him because "They 'trust me'. Dumb f..ks" (Carlson 2010c, 2010).

Then an article demonstrated just how long it took, and how much understanding it demanded, to 'put Facebook on a privacy lockdown' (Carlson 2010b), and the New York Times represented Facebook's privacy settings as 'A Bewildering Tangle of Options', involving 50 settings with more than 170 options (NYT 2010). An animation of the evolution of profile settings from 2005 to 2010 were displayed at, and tools for checking privacy settings were on offer at

The long succession of privacy-breaching actions by the company has culminated in widespread cynicism about both the company and its founder. In the space of a few days in mid-May, a considerable amount of 'bad press' was delivered by a wide range of opinion-leaders, including accusations of classic 'bait-and-switch' manoeuvring (Grossman 2010). Modest numbers of people abandoned the service, and tried to delete their data from the site. The EU's privacy committee issued a rebuke, saying that "It is unacceptable that the company fundamentally changed the default settings on its social-networking platform to the detriment of a user" (, 2010). And a formal complaint was submitted to the US regulator, requesting the FTC to "determine whether the company has in fact engaged in unfair and/or deceptive trade practices, require Facebook to restore privacy settings that were previously available ..., [and] require Facebook to give users meaningful control over personal information" (EPIC 2010).

At the beginning of 2011, Facebook resumed its relentless drive to exploit its users' personal data. It amended a dialogue box to invite users to approve their home addresses and phone number being accessible by third-party developers (Moyer 2011). This was seen by commentators as part of an attempt by Facebook to succeed where other initiatives had failed (such as Microsoft Passport) and become the dominant identity management hub (e.g. Vaughan-Nichols 2011). Strong negative reactions forced the company to backtrack within a few days (Gustin 2011). A BBC report took the opportunity to include a short review of Facebook's troubled privacy history.

From its beginnings and onward throughout its life, Facebook and its founder have demonstrated privacy-insensitivity and downright privacy-hostility. This has reflected both the founder's dismissive attitude to the privacy interests of other people and the dependence of the company's business model on targeted advertising. The company's behaviour has been gradually undermining its strong position in the market, and may well be responsible, in the relatively short term, for large-scale destruction of shareholder-value.

A series of high-handed actions, compounded by a number of what may well have been outright blunders, dogged Facebook through 2011 and into 2012. By April 2012, even a social media spruiker (O'Connor 2012) was warning about the potential for distrust through privacy breach to undermine the Facebook brand:

"[social networkin services make] profit primarily by using heretofore private information it has collected about you to target advertising. And Zuckerberg has repeatedly made sudden, sometimes ill conceived and often poorly communicated policy changes that resulted in once-private personal information becoming instantly and publicly accessible. As a result, once-latent concerns over privacy, power and profit have bubbled up and led both domestic and international regulatory agencies to scrutinize the company more closely.


"The high-handed manner in which members' personal information has been treated, the lack of consultation or even communication with them beforehand, Facebook's growing domination of the entire social networking sphere, Zuckerberg's constant and very public declarations of the death of privacy and his seeming imposition of new social norms all feed growing fears that he and Facebook itself simply can not be trusted."

Google Buzz and WiFi - 2009-12

Despite the gathering clouds outlined earlier, Google led a charmed life through to 2009. Users were highly enthused by the features of each new (near-permanent beta) service and each additional feature that the company released. They were too busy to think critically about what the deal was that they were getting themselves into. The media, including most of the 'technical' media, reprinted Google media releases, and gushed about the smart people that the company employed, the clever way it had got control of the Web advertising market, and how much money it was making. Hagiography abounded, and critical analysis was seldom undertaken and little-reported.

Then, between December 2009 and May 2010, the company made a series of blunders that cost it its undeserved halo.

The first mistake was on 9 December 2009, when CEO Eric Schmidt said, during what should have been just another advertorial interview, "If you have something that you don't want [Google] to know, maybe you shouldn't be doing it in the first place". The statement was widely covered in the media, with many commentators deploring his sentiment. Here is an EFF article. See also this piece on 'Google, Privacy, and You': "There has never before been a time in human history when one single, private entity has collected this much information on a measurable percentage of the world's population". The warnings that had been given by privacy advocates 5-6 years earlier were beginning to reach the mainstream.

The second mistake was the release of Buzz on about 10 February 2010. Buzz was intended to leverage Gmail into the Social Networking space. As explained in my own first take on the product, "Personal data about gmail subscribers has been re-purposed. Specifically, each gmail subscriber's associations with 'other people' are being disclosed to other 'other people'. This has been done without formal notice to them, and without their consent ... The actions taken are quite possibly illegal use and disclosure of personal data without consent". Further, "location-display may be opt-out, not consent-based. And of course the personal data in this case is potentially highly-sensitive, from a safety perspective". Yet worse, it appeared that people who were not Gmail subscribers could be caught up in the web of unauthorised disclosures, simply by being a regular correspondent with one or more people who were Gmail subscribers.

Commentators were extremely negative about the appropriation of personal data held by Google to new purposes, and about the failure to put privacy-conservative defaults in place (e.g. NYT 12 Feb 2010). The wave of media coverage was the most negative response that any release by Google had ever encountered. The spin that the company's media relations quickly launched suggested that the company had backed off very quickly (e.g. NYT 14 Feb 2010), and some actual improvements appear to have been made (e.g. Bhat 2010).

The blunder had broader implications. On 19 April 2010, 10 Privacy Commissioners wrote a joint letter to Google, saying "your recent rollout of the Google Buzz social networking application ... betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services. ... In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social networking service ... Unfortunately, Google Buzz is not an isolated case. ... We therefore call on you ... to incorporate fundamental privacy principles directly into the design of new online services".

Privacy advocates remained very negative about Buzz, but, much more significantly than that, it was suddenly okay for normal people to think critically about Google's offerings. The company's careful nurturing of trust (or, as a cynic would have put it, the triumph of the company's image-management over the substance of the matter) had been seriously compromised, and was in no fit state to withstand the damage that could be caused by another mistake on the same scale.

The third mistake came to light on 22 April 2010, when The Register reported that "[Google's] Street View service is under fire [from the German Data Protection Commissioner, Peter Schaar] for scanning private WLAN networks, and recording users' unique [device] addresses, as the car trundles along".

Google's European privacy advisor, Peter Fleischer, tried to hose down the furore with a posting on 27 April 2010. Rather than putting the matter to rest, the text raised further doubt in many people's minds. Further investigations ensued, not least by the Data Protection Commissioner of one of the German Länder (states), Hamburg.

Google then went into damage limitation mode. Its most senior engineer published a post on 14 May 2010, mirrored here, which said that "[Hamburg Commissioner Caspar's] request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in [the Fleischer post] on April 27 was incorrect ... It's now clear that we have been mistakenly collecting samples of payload data [i.e. message content] from open (i.e. non-password-protected) WiFi networks". Further, "we [have] grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it. ... In addition, given the concerns raised, we have decided that it's best to stop our Street View cars collecting WiFi network data entirely".

The backflip and mea culpa were widely reported, e.g. "European privacy regulators and advocates reacted angrily Saturday to the disclosure by Google ... that it had systematically collected private data since 2006 while compiling its Street View photo archive" (NYT 15 May 2010).

By this stage, Data Protection Commissioners in multiple jurisdictions across Europe, and as far afield as New Zealand, were in earnest discussion with their local Google offices, seeking factual responses to a variety of questions about Wifi-related data collection, use and retention. Advocacy group Consumer Watchdog was reported to have written to the US Federal Trade Commission (FTC) urging it to investigate Google's behaviour.

In many jurisdictions, it's quite likely that the collection of message payloads was in breach of local data protection law, and quite possible that the collection of device-identifiers was as well. Actual prosecution appeared unlikely in most jurisdictions, not least because most data protection laws are subject to very limited enforcement actions. The Irish Data Protection Commissioner, for example, quickly dismissed the possibility of legal action. On the other hand, countries that may pursue the matter include France and, significantly for Google, Italy (Sayer 2010). Beyond any possible court action, however, the media and the public had delivered harsher judgements than any courts could have done. For Google, the fairy-tale was over.

In April 2012, the US FTC eventually levied a fine on Google for its breach. New information that emerged in that report caused the UK ICO to re-open its invesigation. Then, in July 2012, Google discovered that it had failed to comply with its undertakings to delete all of the data that it had collected in at least 10 countries. That drew fire even from the usually business-friendly Irish Data Protection Commissioner (Vinograd & Satter 2012).

Taking a broad view, two related factors appear to have been major contributors to the problems that Google has created for itself. One factor is the company's devil-may-care approach to engineering. This places high value on creativity, rapid prototyping and a 'permanent-beta' culture, and low value on QA, release management, and other kinds of filtering and control mechanisms that mature corporations have learnt to impose. A second factor is the presumption that people everywhere are just like Google engineers, and hence can be relied upon to have the same enthusiasms. Internal, alpha, beta and user testing are therefore one and the same thing. No need exists for consultation with the hordes of individual users, nor with the organisations that represent and advocate for their interests. After this series of train-smashes, perhaps voices of calm reason within the company will no longer be ignored.

Octopus, Hong Kong - 2010

Octopus has been one of the world's most successful contactless smartcard applications. Since 1997, it has enabled both identified and anonymous payment on HongKong's public transport system, and has expanded into several related areas such as car-parks and convenience stores.

In mid-2010, the company was forced by the Hong Kong Privacy Commissioner to retract a previous denial and admit that it had been selling its customers' personal information since January 2006, and had accumulated over $US 5 million from doing so (HK-PCPD 2010, Yu 2010).

The results for the company included the resignation of the CEO over her "mismanagement and initial denial about her company's actions", harm done to the brand to the extent that the departing CEO felt it necessary to urge the public to continue using Octopus Cards, and contribution of the entire $US 5 million to charities (Chong 2010).

The result for business as a whole was that, at a stage when a review of the legislation was drawing to a conclusion, both the outgoing and incoming Privacy Commissioners felt it necessary to call for criminal sanctions to be created for misuse of personal data.

Sony - 2011

In mid-April 2011, "hackers exploited a known security vulnerability" on Sony's web-sites, exposing personal data including [loginids and] credit-card details of "as many as 100 million customers of Sony's PlayStation Network [PSN], Sony Online Entertainment and Qriocity film and music service" (Edwards & Riley 2011).

The article continued: "It takes about a half a year to stabilize sales and confidence in a company's network after a breach, Lawrence Ponemon, founder of the Ponemon Institute, which studies the financial cost of data breaches, said in an interview".

The hacked files were critical to the use of the services, and PSN was unavailable to its 77 million users for more than 4 weeks, and longer in parts of Asia.

In July, it was reported that Sony's insurer was seeking to avoid any liability to cover the company's costs (Berkowitz 2011). As early as May, the direct impacts on Sony were estimated at $US178 million in the current financial year; but that was likely to rise significantly, with the court briefs suggesting that 55 class-action complaints had been filed in the United States alone.

Google - 2012

On 25 January 2012, Google announced that it was making substantial changes to the Terms of Service and Privacy Policies that applied to consumers. The c. 60 documents were now consolidated into one (plus, it transpired, a few others). The effect was to enable data arising from all services to be consolidated, and used and disclosed for any purpose relating to any service.

The changes needed to be seen in their context:

The responses from regulators, oversight agencies and advocacy groups included the following. Some quotations are from the EPIC site. See also the Daily-Mail article of 2 March 2012:

Google ignored the tumult, and left the arrangements in place, changing the Terms and Policies on 1 March 2012.

Postscript: Microsoft quietly took advantage of Google's leadership in the consumer-hostility stakes, and made similar changes to its Terms of Service - and got away with it (Sullivan 2012).

Telstra - 2012

Telstra is one of Australia's largest corporations. It is the dominant telco, a result of privatisation of the PTT several decades ago. Telstra had been involved in a variety of privacy breaches in recent years. For example, in December 2011, it was discovered that 734,000 customer records had been exposed on the Web, for a period of 8 months. The privacy oversight agency prevaricated, then refused to publish the findings of its investigation, and let off the corporation with the lightest of warnings. The telecommunications regulator, ACMA, found that a serious breach had occurred, but also failed to take any meaningful action. This was announced only after 7 months had elasped (Moses 2012).

At the same time, in June 2012, tech-savvy customers uncovered the fact that the telco was sending to a third party, outside the country, the URLs that Telstra's mobile customers visited. This was being done in real-time (i.e. less than a quarter-second across the Pacific). The justification was that the other company was developing a new web filtering product and needed raw data for experimentation. The company, Netsweeper, is based in Canada, but the data was sent the USA, which meant that the data was subject to only very weak privacy protection laws, and was readily available to US government agencies. Moreover, Netsweeper has a record of selling censorware to Middle Eastern governments (Gregory 2012).

Telstra at first sought to manage the crisis. It declared that this was "normal network operation", and then that no personal data was involved, because only the pathnames were transmitted, without the parameter data. That was met with public derision, and was shown to be wrong as well. The company was lambasted by an Internet luminary - and ex-Telstra employee (Huston 2012). Arguments were put forward by a variety of people that the action was in breach of the Telecommunications Access and Interception Act (TIAA) - and involved serious criminal offences subject to gaol terms.

By early July, the corporations had halted the practice, the CEO had told staff in an internal email that the company had "broken our customers' trust [which] is a commodity that's both precious and fragile ... It takes months and years to build, but can be broken in one day ... [Privacy is] an essential requirement and our licence to operate" (itNews 2012). Pressure was growing on the weak Privacy Commissioner, the weak telecommunications regulator (ACMA), and the unwilling Australian Federal Police (AFP) to actually take some action against the breaches.

Instagram - 2012

Instagram is social media service-provider centred on photo-sharing from handhelds. It was launched in 4Q 2010, initially for Apple iPhones and iPads, in 2012 extending to Android-based mobile devices. It was perceived to be 'cooler' than its predecessors, particularly flickr and Google's Picasa, and enjoyed very rapid growth. The company, with 13 employees, was acquired by Facebook for (nominally) about $1 billion in 2Q 2012, only 18 months after launch.

In mid-December 2012, the company exercised its self-granted right to change its Terms of Service when and how it wished, declaring substantial changes with a month's notice (McCullagh 2012). The changes enabled Instagram to charge organisations for the use of users' images and data, without recompense to the user, and without the user's consent, or even knowledge, and without even the ability to opt-out.

With the public sensitised to abuses of this kind, particularly by Facebook and Google, but also Microsoft, the change was noticed and remarked upon by many commentators. A wave of criticism ensued. Probably importantly, National Geographic suspended its Instagram account.

Instagram appears to have had no public relations contingency plans in place. After 30 hours, the company withdrew the wording, and set about licking its wounds (McCullagh & Tam 2012). A class action was under way within a week (Levine 2012).

The furore appears to have resulted from a combination of the obvious commercial unfairness (profitting from the work of others, and denying them a cut), overlaid with privacy concerns about the content of the images and associated data.

Target - 2013-15

Between 27 November and 18 December 2013, US retailer Target was subject to a cyber-attack that compromised data on at least 40 million customers and possibly another 70 million (Krebs 2014).

It subsequently emerged that the breach had been detected, and the company warned about the problem, on 30 November and 2 December, but failed to act promptly, which enabled the volume of data that leaked to escalate (Heavey 2014). That deficiency created much greater exposure to negligence lawsuits.

Significant reductions in revenue followed, "after news of the cyber attack and theft of payment card data spooked shoppers". The company suffered a 46 % drop in net profit in the quarter and an 11% drop in share-value. "Target's reputation ... had been tarnished by the fact that many customers have either had to have payment cards replaced or find themselves checking their monthly statements more closely, giving them a negative association with the retailer" (Finkle 2014).

The first few months' costs were declared in early 2014 as being $61 million, with much more to come for such items as card-reissue, lawsuits, government probes and enforcement proceedings, legal expenses, investigative and consulting fees, and capital investments. The total cost "would certainly be in the hundreds of millions of dollars and could top $1 billion". In August 2014, the company's estimate had reached $148 million, of which $38 million was offset by insurance - but claims were not yet settled, and it was recognised that the figure could go higher (Masters 2014).

Over a year later, further elements had become clearer, with class-action claims resulting in settlements of USD 20m to banks, $20m to MasterCard, $67m to Visa and $10m to some of its own customers. This was declared by the corporations affected to be a lot less than the total expenses they incurred. Total liquid costs had reached $290m less $90m covered by insurers, but there were still more actions in train, and a vast amount of wasted executive and staff time (itNews 2015).

In 2017, an additional amount of $25m was paid to resolve a multi-state investigation (Ramakrishnan and Nandita Bose 2017). The company said that the total cost of the breach had been USD 202m, but that was inconsistent with the many previous reports, was clearly misleading information, and clearly referred to liquidated damages and omitted lost staff time and executive focus and unrecompensated losses by other parties.

Home Depot - 2014-15

In September 2014, Home Depot announced that there had been a very large breach of its payment data systems (McGrath 2014). It was immediately speculated that the breach might cost the corporation $100 million [as it turned out, a conservative estimate]. The stock-price dropped 2.5%. It was later announced that "Attackers stole 56 million payment card details and collected 53 million email addresses of people who shopped at Home Depot's stores between April and September in the U.S. and Canada".

It later reported $43m in costs in September and October 2014 alone, of which it expected $15m to be covered by insurance (HD 2014). It was also facing a significant number of lawsuits, from "customers, payment card brands, payment card issuing banks, shareholders or others". It expected to incur significant legal and other professional services expenses in future periods, and "the ultimate amount paid on these services and claims could be material to the Company's consolidated financial condition, results of operations, or cash flows in future periods".

The laxness of the company's security safeguards were evident from its statement that "the intruder used a vendor's user name and password to enter the perimeter of the Company's network. The intruder then acquired elevated rights that allowed it to navigate portions of the Company's network and to deploy unique, custom-built malware".

By March 2016, "Home Depot said it has booked US$161 million of pre-tax expenses for the breach, including for the consumer settlement, and after accounting for expected insurance proceeds". Of this, at most $US10.8 million (c. 5%) went to litigants - plus $8.7m to their lawyers (itNews 2016b).

By March 2017, the figures reported by itNews (2017) were "US$134.5 million which it paid in compensation to card brands and financial institutions" plus, to litigants, the $19.5m mentioned in the previous para. and an additional $25m newly reported. That $US179m "is expected to rise considerably factoring in legal fees and other charges", not to mention the substantial internal costs og investigation, reorganisation and the deflection of executive and managerial attention away from the company's business.

Ashley Madison - 2015-17

In mid-2015, 25GB of data was published, extracted from the database of Ashley Madison, a dating website that promoted extramarital affairs. Identity, address, search history and transaction records were disclosed, about not only current but also all past clients, a total of 37 million identities. The story unfolded progressively, so the Wikipedia page is easier reading than the string of media reports.

It was later reported that the parent company, Toronto-based Avid Life Media, had lost a quarter of it revenue, spent millions addressing the problem, paid a USD 1.7m bribe (or whatever the polite term is) to buy its way out of a US FTC investigation, paid USD 11.2m to settle a class action (one-third for the litigant's lawyers), and presumably paid its own lawyers some millions as well (Stempel 2017).

TalkTalk - 2015-16

In October 2015, UK telco TalkTalk suffered a data breach. The impacts included Stg80m / AUD164m for financial costs and loss of revenue, suspension of marketing activities, a 3% loss of subscriber-base, and a substantial drop in share-price (itNews 2016a).

Yahoo - 2017

A succession of attacks on Yahoo resulted in sensitive personal information of at least 500 million users being stolen and offered on black data markets, and users' accounts being able to be accessed by third parties. The attacks occured in at least two waves in 2013 and 2014, but only came to public knowledge in July and December 2016. The disclosures had political repercussions in various countries. Many news reports exist, but for a summary, see the Wikipedia entry.

It was later reported that the events had the effect of "shaving $US350 million from the price" for the sale of Yahoo's Onternet operations to Verizon Communications, plus the substantial costs of the investigations, and responding to and settling the score or more of lawsuits. The failure to heed the warning signs from security staff cost the CEO not her job as it should have done, but merely two years' bonus payments. The corporation's legal counsel took the rap and resigned (Goel 2017).

Equifax - 2017

In early September 2017, the monstrous consumer surveillance corporation Equifax was forced to admit to what may be the single largest data breach to date. It occurred from mid-May to the end of July 2017. The company became aware of it on 29 July, but disclosed it only on 7 September. "Equifax's stock, which had been up in regular trading, dropped more than 13 percent in after-hours trading following the announcement" (Ng & Musil 2017. See also Schneier 2017). It transpired that "the initial attack vector" was a vulnerability in the Apache Struts web application framework (CVE-2017-5638), which was publicly known in early March - but, in breach of its own policy to implement security patches within 48 hours, the company had done nothing about it for 4-1/2 months, until it became aware of data exfiltration on 29 July. (The use of the word "initial" presumably means that the attackers found further vulnerabilities they could use as well).

By 27 September, the CEO, CIO and CSO had all been sacked (Lecher 2017, Volz et al. 2017). This would reasonably be expected to be severely disruptive of any organisation's operations and strategic development. The cumulative fall in share-price reached 30%.

A long trail follows such events. Equifax waived a variety of fees for the affected individuals (half the US population). By early 2018, a 5-state class action was in the courts. On top of that, a number of Equifax senior executives, including the (as yet not sacked) CFO, conducted insider trading, by selling significant share-holdings in their own company before the matter became public. One (only one??) was charged with the offence (Schroeder 2018).

Although this data breach for the most part affected Americans, it's indicative of what people elsewhere can reasonably expect from Equifax. For example, it was reported that "an online employee tool used [by Equifax Argentina] could be accessed by typing 'admin' as both a login - and password" BBC 2017). When, a few years ago, the Australian government granted domestic credit reporting agency Veda its longstanding wish for 'positive credit reporting' (i.e. access to everything about every borrower in the country), Equifax immediately bought Veda. And Equifax is an approved gateway service provider for the Australian Data Verification Service (i.e. access to a swathe of government-held data).


Acquisti A., Friedman A. & Telang R. (2006) 'Is There a Cost to Privacy Breaches? An Event Study' Proc. Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, at

Bankston K. (2009) 'Facebook's New Privacy Changes: The Good, The Bad, and The Ugly' Electronic Frontier Foundation, 9 December 2009, at

Batista E. (2003) ''Step Back' for Wireless ID Tech?' Wired News, 8 April 2003, at,1382,58385,00.html

BBC (2017) 'Equifax had 'admin' as login and password in Argentina' BBC News, 13 September 2017, at

Berkowitz B. (2011) 'Sony insurer sues to deny data breach coverage' itNews, 17 July 2011, at,sony-insurer-sues-to-deny-data-breach-coverage.aspx

California Civil Code Sections 1798.29 and 1798.82, Available from

Campbell K., Gordon L., Loeb M. & Zhou L. (2003) 'The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market' Journal of Computer Security 11, 3 (Mar 2003) 431-448

Carlson N. (2010a) 'At Last -- The Full Story Of How Facebook Was Founded' Business Insider, 5 March 2010, at

Carlson N. (2010b) 'How To Put Facebook On A Privacy Lockdown' Business Insider, 11 May 2010, at

Carlson N. (2010c) 'Well, These New Zuckerberg IMs Won't Help Facebook's Privacy Problems' Business Insider, 13 May 2010, at

Chong D. (2010) 'Squirming out' The Standard, Hong Kong, 05 August 2010, at R. (2006) 'Google's Gauntlets' Computer Law & Security Report 22, 4 (July-August 2006) 287-297, at

Culnan M.J. (1991) 'The Lessons of the Lotus MarketPlace: Implications for Consumer Privacy in the 1990's' Proc. 1st Conf. on Computers, Privacy and Freedom, Computing Professionals for Social Responsibility, 1991, at

Culnan M.J. & Smith H.J. (1995) 'Lotus Marketplace: Households...Managing Information Privacy Concerns' in Johnson D.G. & Nissenbaum H. (Eds.) 'Computer Ethics and Social Values', Prentice Hall, 1995

Darlin D. (2006) 'Embattled H.P. Chairwoman to Step Down' The New York Times, 12 September 2006, at

Edwards C. & Riley M. (2011) 'Sony Data Breach Exposes Users to Years of Identity-Theft Risk' Bloomberg Business Week, 3 May 2011, at

EPIC (2010) 'Complaint, Request for Investigation, Injunction, and Other Relief ' Electronic Privacy Information Center, 5 May 2010, at

FCC (2007) 'Annual Report on the National Do-Not-Call Registry - 2005' Federal Communications Commission, January 2007, at

Fields T.D. & Cohen J. (2003) 'Case Study: Doubleclick Inc.' Harvard Business School Case Study 9-103-016, 2003

Finkle J. (2014) 'Target breach halves holiday profit, costs $68 million to fix' itNews / Reuters, 27 February 2014, at,target-breach-halves-holiday-profit-costs-68-million-to-fix.aspx

FSA (2007) 'FSA fines Nationwide [[sterling]]980,000 for information security lapses', Financial Services Authority, London, FSA/PN/021/2007, 14 February 2007, at

FTC (2002a) 'Eli Lilly Settles FTC Charges Concerning Security Breach' Federal Trade Commission, 18 January 2002, at

FTC (2002b) 'Microsoft Settles FTC Charges Alleging False Security and Privacy Promises' Federal Trade Commission, 8 August 2002, at

FTC (2006) 'ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress' Federal Trade Commission, 26 January 2006, at

Gartner (2006) 'Case Study: ChoicePoint Incident Leads to Improved Security, Others Must Follow' Gartner G001142771, 19 September 2006

Givens B. (2003) 'California Security Breach Notification Law Goes into Effect July 1, 2003' Privacy Rights Clearinghouse, 23 June 2003, at

Goel V. (2017) 'Yahoo CEO Mayer loses bonus, lawyer resigns, on probe of theft of 500m' Australian Financial Review, 2 March 2017, at

Gregory M. (2012) 'Why is Telstra Next G serving your data to Netsweeper in America?' The Conversation, 28 June 2012, at

Grossman W.M. (2010) 'Bait and switch' Net.wars, 14 May 2010, at

Guangming (1999) 'Ministry of Information Industry (MII) Advises Government Agencies on Prudent Use of PIII' Guangming Daily, 30 June 1999, at

Gurak L.J. (1997) 'Persuasion and Privacy in Cyberspace : The Online Protests over Lotus Marketplace and the Clipper Chip' Yale University Press, 1997

Gustin S. (2011) 'No Facebook, You May Not Share My Address and Phone Number With Developers' Wired, 18 November 2011, at

Guyn J. (2010) 'Judge approves $9.5-million settlement of lawsuit over Facebook's Beacon program' LA Times, 18 March 2010, at

HD (2014) 'Quarterly Report to the Securities Exchange Commission' Home Depot, 24 November 2014, at

Heavey S. (2014) 'Target warned about detected malware ahead of breach' itNews, 14 March 2014, at,target-warned-about-detected-malware-ahead-of-breach.aspx

HK-PCPD (2010) 'Interim report on the investigation concerning personal data collected and disclosed under the Octopus Rewards Program', 30 July 2010, at

HoR (2006) Letter to Hewlett-Packard, Committee on Energy and Commerce, U.S. House of Representatives, 11 September 2006, at

Huston G. (2012) 'All Your Packets Belong to Us ' The ISP Column, July 2012,

itNews (2012) 'Telstra privacy bungle "must not happen again"' itNews, 6 July 2012, at,telstra-privacy-bungle-must-not-happen-again.aspx

itNews (2015) 'Target US to pay banks $54m in data breach settlement' itNews, 3 December 2015, at

itNews (2016a) 'TalkTalk lost 101k customers, $164m after hack' itNews, 3 February 2016, at ttp://

itNews (2016b) 'Home Depot to pay out $26m in data breach settlement' itNews, 9 March 2016, at

itNews (2017) 'Home Depot pays US$25 million to settle data breach case' itNews, 13 March 2017, at

Jones T. (2009) 'The World Reacts to The New Facebook' Electronic Frontiers Foundation, 17 December 2009, at

Kirkpartick M. (2010) 'Facebook's Zuckerberg Says The Age of Privacy is Over' ReadWriteWeb, 9 January 2010, at

Krebs (2014) 'Target Data Breach' Krebs on Security, 2013-14, at

Lecher C. (2017) 'Equifax's CEO is stepping down in the wake of the massive data breach' The Verge, 26 September 2017, at

Levine D. (2012) 'Instagram Hit With First Class Action Lawsuit After Furor Over Changes' Huffington Post, 24 December 2012, at

Masters G. (2014) 'Retailer Target expects data breach to cost $148 million' SC Magazine, 5 August 2014, at

McCullagh D. (2000) 'Intel Nixes Chip-Tracking ID' Wired News, 27 April 2000, at,1283,35950,00.html

McCullagh D. (2012) 'Instagram says it now has the right to sell your photos' cnet, 17 December 2012, at

McCullagh D. & Tam D. (2012) 'Instagram apologizes to users: We won't sell your photos' cnet, 18 December 2012, at

McGrath M. (2014) 'Home Depot Confirms Data Breach, Investigating Transactions From April Onward' Forbes 8 September 2014, at

Miller N. (2006) 'Data leaks under review' The Sydney Morning Herald, Next Section, 8 August 2006, at

Moses A. (2012) 'Telstra's 734,000 account privacy blunder breached multiple laws: regulators' The Age, 29 June 2012, at

Moyer E. (2011) 'Facebook tweak reveals addresses, phone numbers' CNet News, 17 January 2011, at (2010) 'Claim Mark Zuckerberg called TheFacebook users 'dumb f..ks' for offering personal details', 14 May 2010, at

Ng A. & Musil S. (2017) 'Equifax data breach may affect nearly half the US population' cnet, 7 September 2017, at

NYT (2010) 'Facebook Privacy: A Bewildering Tangle of Options' The New York Times, 12 May 2010, at

O'Connor R. (2012) 'Facebook Is Not Your Friend' The Huffington Post, 15 April 2012, at

Opsahl K. (2010) 'Facebook's Eroding Privacy Policy: A Timeline' Electronic Frontier Foundation, 28 April 2010, at (2010) 'EU privacy watchdogs say Facebook changes 'unacceptable' The Register, 14 May 2010, at

PCC (2009) 'Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC)against Facebook Inc.' PIPEDA Case Summary #2009-008, Privacy Commissioner of Canada, 22 July 2009, at

PRC (2004) 'Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail' Privacy Rights Clearinghouse, 6 April 2004, at

Ramakrishnan S. & Bose N. (2017) 'Target US pays $25m to states to settle data breach' itNews, 24 May 2017, at

RFID (2003) '' RFID Journal, 12 March 2003, at

Sayer P. (2010) 'Google Street View faces investigation in France and Italy' IDG News Service, 20 May 2010, at

Scalet S.D. (2005) 'The Five Most Shocking Things About the ChoicePoint Debacle' CSO, May 2005, at

Schneier B. (2005) 'Real Story of the Rogue Rootkit' Wired Magazine (November 2005), at

Schneier B. (2017) 'On the Equifax Data Breach' Cryptogram, 15 September 2017, at

Schroeder P. (2018) 'Former Equifax CIO charged with insider trading' itNews, 15 March 2018, at

Singel R. (2010) 'Facebook's Gone Rogue; It's Time for an Open Alternative' Wired Magazine, 7 May 2010, at

Smith R.E. (2007) 'FTC Says It's Gonna Cost Ya', Forbes Commentary, 20 March 2007, at

Stempel J. (2017) 'Ashley Madison parent in $14.3m settlement over data breach' itNews. 17 July 2017, at

Sullivan D. (2012) 'Microsoft To Make Same Privacy Change Google Was Attacked For; No One Seems To Care' Marketing Land, 11 October 2012, at

Telang R. & Wattal S. (2005) 'Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation' Proc. Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, at

Van Buskirk E. (2010) 'Report: Facebook CEO Mark Zuckerberg Doesn't Believe In Privacy' Wired Magazine, 28 April 2010, at

Vaughan-Nichols S.J. (2011) 'Facebook wants to be your Internet ID Card', ZDNet, 18 January 2011, at

Vinograd C. & Satter R. (2012) 'Google: Didn't delete Street View data after all' Sydney Morning Herald, 28 July 2012, at

Volz D., Mukherjee S. & McCrank J. (2017) 'Equifax CEO follows top IT execs out the door' itNews, 27 September 2017, at

Yu E. (2010) 'Hong Kong e-payment firm admits selling customer data' ZDNet Asia, 29 July 2010, at


This page was originally developed as supporting material for:

Clarke R. (2006) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006) 26-31

Thanks to Ari Schwarz at CDT in Washington DC, Lee Bygrave in Oslo, Anna Johnston in Sydney, Beth Givens in San Diego, Jason Catlett in New York, Mary Culnan in Boston, Ross Anderson in Cambridge UK, Stephan Engberg in Copenhagen, Robert Ellis Smith of Privacy Journal in Providence RI, and to you for sending me additional leads and references.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 27 September 2006 - Last Amended: 15 March 2018 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy