Evan Schuman's StorefrontBacktalk

The problem here is that Kumar is suggesting the problem is with Google having captured, as opposed to Blippy having exposed, the data on the site when it was publicly viewable. That distinction is rather alarming. It’s akin to a security guard getting in trouble because someone used a smartphone and recorded him sleeping on the job. And then building management addresses the problem by banning smartphones.

Kumar reported that his team worked with Google “to remove the search snippets and search results on Google for the discovered cards. Google removed these 200 or so URLs promptly.” He also said: “On Saturday morning [April 24], upon the discovery of an additional card, we requested Google remove all snippets and cached pages related to Blippy. We were extremely conservative in viewing the data for potential exposure (even if we were unable to confirm that such exposure had taken place). As a result, we reached out to a total of eight individuals.”

Love a post that raises more questions than it answers. On Friday (April 23), we had four customers impacted and after “the discovery of an additional card,” it doubled to eight. I think we missed an update in between.

It’s not clear, though, if all eight had payment card data exposed. Even if it’s eight people, how does that map to “200 or so” URLs? With cache, the same page could certainly have appeared repeatedly, but 200 or so URLs for eight people?

Blippy’s problems got worse. Kumar again: “Naturally, when users learned of the issue this weekend, some wanted to disconnect their credit card accounts or delete their entire user account. At the same time, Blippy’s servers had been under increased load due to the media attention. This resulted in many failed requests to delete accounts because we had not invested sufficiently in making our account deletion process as programmatically efficient as it could be.” He’s right. Blippy was having a bad weekend.

Kumar ended his post with a list of five things Blippy will do to address these problems: Hire a Chief Security Officer; have regular third-party infrastructure and application security audits; continue to invest in systems to aggressively filter out sensitive information; control caching of information in search engines; and “create a security and privacy center.”

Those actions are all fine things, but the caching effort still feels like the sleeping security guard. What’s missing, though, is a strict pledge to not expose any payment card data ever–even in a testing mode, even in a testing mode limited to Staging, even in a testing mode limited to Staging that can only be accessed from within the LAN.

Of potentially greater concern is the original post by Kaplan. The “less bad than it looks” comment was ill-advised and, in fact, that line was removed from the post after some negative feedback. We initially suggested that if Kaplan still feels it’s no big deal, maybe he should post his card data on the site and see how inconvenient it feels.

Beyond even that is Kaplan’s other comment: “It’s important to remember you’re never responsible if someone uses your credit card without your permission. That’s why it’s okay to hand your credit card over to waiters, store clerks, E-Commerce sites and hundreds of other people who all have access to your credit card numbers.”

We couldn’t put it any better than did Patricio Robles at EConsultancy: “Most cardholder agreements protect the cardholder against unauthorized charges provided that the cardholder has taken reasonable measures to protect his or her card against loss or theft. Can individuals willingly sharing purchasing information with a service like Blippy really claim to be exercising reasonable care to safeguard their credit card details?”

Robles also points out that Blippy—and data-sharing services like it—are an odd duck in the payments space, a point that PCI Columnist Walt Conway elaborates on wonderfully.

By the way, we noticed that Blippy management chose to turn comments off on their postings about the data breach. Given what you were telling your customers and their likely response, that move—turning off comments—was quite wise.