How Blippy users' credit cards got into Google
After Blippy exposed credit card numbers in early February, Google's search crawlers failed to detect that it had scrubbed its site.
A series of gaffes at Blippy, Google, and a Midwest bank exposed the credit card numbers of four individuals within Google search results for more than two months.
Friday was easily the worst day in the history of Blippy, a young start-up that enables people to create social networks around sharing information on goods and services they buy. VentureBeat discovered that credit card numbers of four Blippy users could be found in Google's search index, and it published its findings in a story, forcing the start-up's three founders to scramble to repair the damage and get the numbers removed from Google's search index.
Blippy acknowledged that it should not have exposed raw data containing credit card numbers to the Internet in February, when it was working on the site. But Google confirmed that its search bots should have noticed that Blippy had removed that raw data promptly when its crawling technology made its next pass across Blippy's site, which may have never happened.
A Google representative said the company was looking into why its technology did not update its cache of Blippy's pages for more than two months, declining to comment further.
The problem began when Blippy made a few changes to its Web site code in early February, inadvertently exposing the raw data that banks send to the service when a credit card user makes a purchase. That data usually includes innocuous data such as time, date, amount, and location of the purchase, and Blippy realized that it needed to scrub that data from its site when it discovered that confirmation numbers for airline tickets were exposed.
But it did not realize in February that one particular bank, Fifth Third Bank, based in Cincinnati, also sent the actual credit card numbers of its users along with that purchase data. Blippy co-founder and CEO Ashvin Kumar said Blippy had no idea that this data had been exposed until Friday morning. He said no other bank used with the Blippy service appeared to send credit card numbers along with the rest of the data.
Two of the Blippy users affected by the breach--Ryan Alcott of Benton Harbor, Mich., and Bradd Dantuma of Grand Rapids, Mich.--confirmed that they were Fifth Third customers. A Fifth Third representative did not return a call seeking comment Friday.
The credit card numbers of four Blippy users were available to anyone on the Internet for more than two months.
(Credit: Screenshot by Elinor Mills/CNET)After they saw the VentureBeat story, Blippy executives attempted to remove the data from Google via its Webmaster tools, but they reached out directly to the search giant after realizing that a media frenzy had begun. Google purged the information around 11:20 a.m. PDT Friday, it said.
Many who learned of the incident were probably more surprised that something like this hadn't happened sooner, given the skepticism of many about Internet privacy, security, and the wisdom of sharing your economic activity with the world.
Kumar thanked Google for its prompt response Friday morning and willingness to admit that something went wrong with its crawling technology. The card numbers were not visible on Yahoo or Bing on Friday morning using the same type of search that produced the numbers on Google.
Still, "we have to plan for the worst-case scenario," Kumar said. Google provides tools to Webmasters that allow them to flag content that was mistakenly published, and had Blippy taken advantage of those tools in February, the world would have likely never learned of the data breach.
The incident was especially painful for Blippy, given that a New York Times profile of the company appeared Friday morning, highlighting the growth of start-ups like Blippy that are designed to share personal information with the world. And the "worst-case scenario" is probably yet to come: although Alcott was willing to sign up for the service again Friday evening, after Blippy had initially removed his account in hopes of preventing any further breaches, he said, "I'm thinking about talking to a lawyer."
Updated 11:25 p.m. PDT: Late Friday, Google asked to clarify its position on indexing and inadvertantly posted content. "While we always want to serve our users with the freshest possible information, fundamentally it is webmasters' responsibility to request removal from our cache when they make a mistake," the company said in a statement.
Tom Krazit writes about the ever-expanding world of Internet search, including Google, Yahoo, and portals, as well as the evolution of mobile computing. He has written about traditional PC companies, chip manufacturers, and mobile computers, spending the last three years covering Apple. E-mail Tom. 
John Doe is at 203 West 9th Avenue next to your pizza shop. He has been home all day... he may be a good candidate to buy some of your tasty pizzas given his history of searching online restaurants. Would you like to give us .1% of his spending to get him into your restaurant?
By the way, we offer a transaction service so if you'd like to simply allow us to access his creditcard we will place the order. Fees in association with this = 1.5%, roughly 75% of the cost for you to do a debt transaction.
By the way according to our data analysis John Doe is 50% more likely to buy more if you offer him something specific - would you pay .5% extra to get this information?
Just think of the possibilities of search datamining outside of your computer screen... a world where you will be catagorized, marketed, and pushed psychologically to buy more... consume consume consume.
Anyway - on a bit of a rant there... I think this a big slip up - Google should filter any # that looks like a credit card and block it.
Blippy is a small community that made a slip up and now will pay for that slip up... they won't survive the media onslaught unless they have a good VC backing.
There. It's a conspiracy and it's all Microsoft's fault!
Or.... we can all look at Spitbucket's comment and shake our heads thinking, "What is it you're smoking, and can we have a puff?"
Would love to hear from others whether there are other services in this space..
The idea that our data will ever be secure is as sane as thinking we will someday be able to turn lead into gold. Our data will never be completely secure. People will make mistakes and others will exploit those mistakes. the only secure computer is an unconnected computer. This not being practical we must base our actions on the fact that at some point something like this will happen and plan accordingly.
Most other services (including ShopSocially which I mentioned) allow you to share but do so as a deliberate action.
Interesting Internet & Technology
Articles, News and Updates
just copy the following website URL
( latest-technology-hub.blogspot.com )
and past it on your browser's address bar.
_________________________________________
- by peterpaschal April 23, 2010 10:33 PM PDT
- sweet
- Like this Reply to this comment
-
(12 Comments)