April 26, 2010

Blippy to hire CSO, conduct audits after credit card breach

Blippy, a Silcon Valley start-up that enables users to share details in real time about purchases they make, plans to invest millions in information security following revelations that it exposed the credit card numbers of a small number of people through Google's search index.

Ashvin Kumar, co-founder and CEO of Blippy, said in a blog post early Monday that as a result of the breach the company plans to hire a CSO, conduct regular third-party security audits, and install technology that strips out sensitive information from Blippy posts. In addition, the firm plans to create a central portal for users to obtain information about security and privacy.

Kumar explained that some banks, in rare instances, include credit card numbers as part of the line-item purchases shown on transaction statements. This so-called raw transaction data normally is stripped out by Blippy but, due to a "technical oversight," it appeared within the HTML code on some Blippy pages for a half day in early February, coincidentally the same time that Google indexed the site.

"Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index," Kumar said in Monday's post. "Google effectively took a snapshot of Blippy during that half-day period. Though our site has changed considerably since early February, Google's snapshot of these pages did not update, which effectively extended a half-day exposure into a three-month exposure."

Once Blippy was alerted to the incident, it asked Google to remove all cached pages related to the company and remove some 200 URLs that contained the card numbers. After a thorough review, Blippy ended up notifying eight people whose sensitive information may have been publicly exposed.

"They trusted us with their information, and we are truly disappointed to have let them down," Kumar said. "While these users reflect a tiny sliver of our user base, any number greater than zero is deeply unacceptable to us."

Phillip Kaplan, Blippy's president and co-founder, said in a separate blog post that none of the personal data ever appeared on the Blippy site and that the exposure was not related to a hack or server breach.

He added that the company recently raised $11.2 million in venture capital funding, a "significant" amount of which will be dedicated to building a premier "secure infrastructure."

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.