Evan Schuman's StorefrontBacktalk

Data Breach Etiquette Rule #8: The moment you announce you screwed up and exposed customers’ payment data to cyberthieves is a really bad time to lecture customers that “it’s a lot less bad than it looks” and that “it’s important to remember you’re never responsible if someone uses your credit card without your permission.” That rule is especially valid, as in the tale we’re about to tell, when both of those sentences are quite likely wrong.

Our tale is about an interesting startup called Blippy. (Note: A very prominent co-founder of Blippy’s is Philip Kaplan, the Pud of F*cked Companies fame. Yes, that makes one of the deepest ironies in Silicon Valley coming up the street right now.)

On Friday (April 23), Kaplan announced on the company’s blog that four customers had their credit card numbers exposed on the site because Google cached some of its early testing. For some reason, Blippy publicly tested with live payment card numbers.

“We are serious about security and want to assure Blippy users that this was an isolated incident from many months ago in our beta test and doesn’t affect current users,” Kaplan penned, before adding: “Also, this was not the result of a hack or security breach.” Apparently, he added that last part because customers seemingly think it’s much better to be put at risk by friends than enemies. Fear not, the message suggests, cyberthieves didn’t expose your data. We did it ourselves. I feel much better now.

Kaplan’s post is the one that said the incident was “a lot less bad than it looks.” On Monday (April 26), Blippy Co-Founder and CEO Ashvin Kumar took to the site to offer the least-surprising post in the history of blogs: After further investigation, he said, following the script of every retail data breach CEO, it turns out that it was worse than Blippy’s management initially thought.

Kumar opened his revised post by saying: “It has been a rocky weekend for Blippy. The weekend began with a front-page article in The New York Times announcing our Series A financing. The elation didn’t last long. A few hours later, reports surfaced about the discovery of credit card numbers within Google’s cached search results.” The only problem is that the Times piece actually appeared early Thursday morning (April 22). Guess Blippy likes to start its weekends early. And the first post said the breach was discovered Friday morning (April 23), which doesn’t jibe with “a few hours later.”

“In early February, due to a technical oversight on our part, some raw transaction data appeared within the HTML code on some Blippy pages for about half a day,” Kumar said. “Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless. It typically is.” (When it comes to credit card numbers, raw data is typically fairly harmless?)

“What we did not realize until Friday morning [April 23] was the fact that in that half-day period, Google had crawled and indexed a portion of Blippy’s pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index,” Kumar posted. “Google effectively took a snapshot of Blippy during that half-day period. Though our site has changed considerably since early February, Google’s snapshot of these pages did not update, which effectively extended a half-day exposure into a three-month exposure.”