Announcing A Data Breach And Saying It’s No Big Deal: Bad Move, Blippy

Written by Evan Schuman
April 29th, 2010

Data Breach Etiquette Rule #8: The moment you announce you screwed up and exposed customers’ payment data to cyberthieves is a really bad time to lecture customers that “it’s a lot less bad than it looks” and that “it’s important to remember you’re never responsible if someone uses your credit card without your permission.” That rule is especially valid, as in the tale we’re about to tell, when both of those sentences are quite likely wrong.

Our tale is about an interesting startup called Blippy. (Note: A very prominent co-founder of Blippy’s is Philip Kaplan, the Pud of F*cked Companies fame. Yes, that makes one of the deepest ironies in Silicon Valley coming up the street right now.)

On Friday (April 23), Kaplan announced on the company’s blog that four customers had their credit card numbers exposed on the site because Google cached some of its early testing. For some reason, Blippy publicly tested with live payment card numbers.

“We are serious about security and want to assure Blippy users that this was an isolated incident from many months ago in our beta test and doesn’t affect current users,” Kaplan penned, before adding: “Also, this was not the result of a hack or security breach.” Apparently, he added that last part because customers seemingly think it’s much better to be put at risk by friends than enemies. Fear not, the message suggests, cyberthieves didn’t expose your data. We did it ourselves. I feel much better now.

Kaplan’s post is the one that said the incident was “a lot less bad than it looks.” On Monday (April 26), Blippy Co-Founder and CEO Ashvin Kumar took to the site to offer the least-surprising post in the history of blogs: After further investigation, he said, following the script of every retail data breach CEO, it turns out that it was worse than Blippy’s management initially thought.

Kumar opened his revised post by saying: “It has been a rocky weekend for Blippy. The weekend began with a front-page article in The New York Times announcing our Series A financing. The elation didn’t last long. A few hours later, reports surfaced about the discovery of credit card numbers within Google’s cached search results.” The only problem is that the Times piece actually appeared early Thursday morning (April 22). Guess Blippy likes to start its weekends early. And the first post said the breach was discovered Friday morning (April 23), which doesn’t jibe with “a few hours later.”

“In early February, due to a technical oversight on our part, some raw transaction data appeared within the HTML code on some Blippy pages for about half a day,” Kumar said. “Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless. It typically is.” (When it comes to credit card numbers, raw data is typically fairly harmless?)

“What we did not realize until Friday morning [April 23] was the fact that in that half-day period, Google had crawled and indexed a portion of Blippy’s pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index,” Kumar posted. “Google effectively took a snapshot of Blippy during that half-day period. Though our site has changed considerably since early February, Google’s snapshot of these pages did not update, which effectively extended a half-day exposure into a three-month exposure.”


One Comment | Read Announcing A Data Breach And Saying It’s No Big Deal: Bad Move, Blippy

  1. Bob Swanson Says:

    Every time I see/hear a corporate mouth say that he takes (privacy/security/whatever) “seriously,” I run for cover.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.