Blippy, a new social networking site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members. 

How It Works

The site operates like Twitter, where members can follow other members.  Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.

A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account).  Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post.  For instance, “Starbucks USA 00075424 04/25 CARD #<XXXX> Purchase #<XXXXXXXXX> Newport Bch, CA”, would be converted to just “Starbucks”.

Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase.  With some accounts, a member can choose to show full product details:

Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)

Or just the amount spent:

Michael spent $3.75 at Starbucks

Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews.  Like Facebook, members and followers can comment on the post or hide posts from certain people.  (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.)  Some see the revelation of spending habits as a conscience for shoppers.  Others see it as sharing too much information.  Certain purchases and excessive spending can be potentially damaging to someone’s reputation.  For consumers who want to share everything and have nothing to hide, this is perfect for them.

“Users who share information online are becoming slowly aware of the risks of this new technology.”

Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general.  On the flip side, it could create more competition.  If full details of a purchase are posted, a competitor could lower prices to steal future business.

Privacy Concern and Security Risks

Information sharing and web collaboration were made possible with Web 2.0 technologies.  Users who share information online are becoming slowly aware of the risks of this new technology.    Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.

The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page.  Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.).  After that issue was discovered, the glitch was fixed quickly.

According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.”  Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results.  Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated.  Blippy worked with Google immediately to remove the indexed pages.

Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages.  The company again worked with Google to remove the data.  In both cases, Blippy also contacted – and apologized to – the members affected.

Blippy – and its members – were quite lucky.  The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.

Who is in Control?

Social networking has given people the power to open up that privacy door – all on their own.  At the same time, secure data is at risk when financial information is released into the air.

Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases.  Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them.  Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.

Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud.  As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information.  However, all parties involved are responsible for ensuring data security.  On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers.  Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.

While Blippy thought they were on top of security on their site, the recent data exposure has changed their course.  In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.

On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news.  Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.

Heartland’s 2008 data breach is supposedly the largest breach of that year, but not the only one hit by the same hacker. According to Bob Carr, CEO of Heartland, most of the companies affected did not come forward. However, news articles are blasting Heartland for not reporting the 2008 breach earlier so customers and merchants could take action and precautions. While the Department of Justice has been successful in capturing individuals behind the recent data breaches, this should be a strong sign to any company involved with sensitive data that they should be stepping up efforts in the prevention of data loss.

The delay of notification about data breaches is becoming too common and also a source of contention for those affected. The most recent news involved Radisson Hotels & Resorts, who recently revealed a breach which occurred between November, 2008 and May, 2009. According to the Associated Press, Radisson reported that the data breach affected cardholder names, card numbers and expiration dates of their North American customers but they did not specify how many were affected.

One approach to get companies to pay more attention to data security has been to hit violators financially. Visa and MasterCard impose fines for PCI compliance violations (MasterCard has recently increased their fines hoping that companies will take data security more seriously). Class action lawsuits have also been filed against companies like Heartland by customers whose credit cards were affected in data breaches. Lawsuits and the financial impact to companies who handle sensitive data shouldn’t be the reasons they impose stricter controls, but if that is, then companies who have been spared should take that as a lesson.

Following PCI DSS guidelines for securing data is simply not enough. Everyone in the “payment chain” (i.e. point of sale, processors, financial institutions) is responsible for ensuring data security. The stronger each piece is will help to strengthen the overall security of the data.  Additionally, although PCI compliance varies for different levels/tiers of processing volumes ($), everyone in the payment chain should go beyond what is required to protect the data. A processor using a third-party payment gateway should ensure that vendor is PCI compliant. That same third-party vendor should ensure their customers are PCI compliant as well. Finger pointing won’t solve the problem in a world where companies should work together to produce best practices.

Stronger encryption, along with the safety of, and restricted access to, physical data storage are just a few of the basics. Any company who handles sensitive data should have a dedicated team (or at least a key executive) assigned to manage those controls on a regular basis. A self assessment or qualified audit should be seen only as a guidepost. Companies relying only on auditors to determine their compliance are putting their company, and customers, in jeopardy. Being compliant doesn’t mean a company’s data is secure and the auditor cannot ensure that data is secure either. Their job is simply to report on the controls in place for data security.  VeriSign’s 2007 white paper about how to avoid an audit failure provides basic, yet necessary, measures for data security that are still valid, yet likely not practiced enough, today. Companies need to take these measures more personally on behalf of the security of their customer data.