Stolen data live on in Google searches

to receive a call from a Chronicle reporter asking if she recognized the personal information, which had been crawled and stored by Google as Google caches all unprotected data it finds on the Web.

"Google seems so friendly," she said. "I don't understand why they don't do a better job protecting our data."

Google spokesman Michael Kirkland said that in general, the search engine doesn't remove cached data, which disappears automatically at some point after its source is taken down. Google expects Webmasters to remove problem content themselves and provides tools to help them do it.

"Google, like all search engines, is a reflection of the content and information that's available on the Internet," he said. "We actively work to keep users informed on how they can stay safe online."

In this case, however, Google did remove the cached pages, but it took the company two tries to delete them.

Such incidents of data theft have become so common that some cybercrime trackers have given up on contacting Internet users to let them know their personal information has been exposed.

Sensitive data all over

Finjan, the Israeli security company that discovered this particular stash, said it finds similar data stored on servers around the world nearly every other day - Social Security numbers, medical records, confidential business records.

Law enforcement is ill-equipped to secure this virtual Wild West, where sensitive information can remain in Web site caches long after a server has been disabled.

Finjan reported the stolen data to a variety of authorities, but one of them, the FBI, said it wasn't concerned with the cache - only the evidence on the server.

"We tell people we can't be responsible for protecting data or ensuring that whatever is happening is all cleaned up," said Joe Schadler, a spokesman for the FBI's San Francisco office. "We're not security experts."

Savvy get tricked, too

Even those who are savvy about Internet security - or the lack thereof - are still learning.

The same thieves who tracked the Colorado woman's online activity swiped the information for two bank accounts belonging to James Pope, an attorney in Houston who teaches classes in identity theft. Pope said he didn't know his machine was infected until after he noticed a $3,500 withdrawal from his Wachovia account and called the bank. He was told that he had probably clicked on an ad to prevent spyware and downloaded a keylogging program.

"I didn't know you could click on an ad and get a virus," he said.

Pope's information, along with that of the Colorado woman, was among hundreds of other pages of stolen data - log-ins and passwords for Facebook, YouTube, Web-based e-mail programs like Yahoo, and many other Web sites; cookies that would enable thieves to assume their owners' identities at some sites; records of every destination people visited when they surfed the Web.

Credit cards exposed

One person surfing from a computer in Florida had searched for books on Amazon.com and for information on parents and young children at AOL, Yahoo and the Australian Broadcasting Corp. She also exposed her credit card number when she purchased an online first-aid class from a secure site.

At a computer in California, someone checked the status of an immigration case at a government Web site and then moved on to a site that streams pornographic videos.

It's hard to tell what thieves are looking for when they steal all this data, said Mary Landesman, a researcher at Scansafe in San Mateo. They may, for instance, skim off gaming passwords, which are selling well now, but, she said, "what's happening with the rest of the information, we can only guess."

 TOP