BreachExchange mailing list archives
Re: Blippy to hire CSO, conduct audits after credit card breach
From: Todd Glassey <tglassey () glassey com>
Date: Wed, 28 Apr 2010 08:33:16 -0700
On 4/27/2010 4:35 PM, Jake Kouns wrote:
http://www.scmagazineus.com/blippy-to-hire-cso-conduct-audits-after-credit-card-breach/article/168728/ Blippy, a Silcon Valley start-up that enables users to share details in real time about purchases they make, plans to invest millions in information security following revelations that it exposed the credit card numbers of a small number of people through Google's search index. Ashvin Kumar, co-founder and CEO of Blippy, said in a blog post early Monday that as a result of the breach the company plans to hire a CSO, conduct regular third-party security audits, and install technology that strips out sensitive information from Blippy posts. In addition, the firm plans to create a central portal for users to obtain information about security and privacy. Kumar explained that some banks, in rare instances, include credit card numbers as part of the line-item purchases shown on transaction statements. This so-called raw transaction data normally is stripped out by Blippy but, due to a "technical oversight," it appeared within the HTML code on some Blippy pages for a half day in early February, coincidentally the same time that Google indexed the site. "Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index," Kumar said in Monday's post. "Google effectively took a snapshot of Blippy during that half-day period. Though our site has changed considerably since early February, Google's snapshot of these pages did not update, which effectively extended a half-day exposure into a three-month exposure."
What a crock of merde! - Its funny to see how sloppy Blippy is considering its founders and the money under it from Sequoia and Charles River... but hey it is what it is. One thing that is really funny is the idea that Identity Thieves don't have their own copies of the Google Spider running on a box in their garage which looks exactly like the Google Spiders running from Mountain View or Oregon Data Centers, and what damage that does to a security model which fails to limit the spiders access to their systems. That means this is potentially a much worse leak than they are trying to spin it as IMHO. Todd
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Blippy to hire CSO, conduct audits after credit card breach Jake Kouns (Apr 27)
- Re: Blippy to hire CSO, conduct audits after credit card breach Todd Glassey (Apr 28)