14 DAY TRIAL // Around 200 transactions shared by users on new social networking service Blippy exposed sensitive data such as credit card numbers. The information had been accessible for months via a simple Google search query, until the start-up had it removed from the search engine's cache yesterday.
Blippy is a new social networking start-up, which allows people to share news of their latest purchases with the world or their friends. The service works by analyzing credit card statements provided by the users and should theoretically clean up the information to produce messages of the form: "[user] spent $[amount] at [business]."
In theory, the system should remove even relatively harmless data such as store numbers, which is usually present on credit card statements, from the automatic posts it generates. However, Philip Kaplan, Blippy president and co-founder, explains that months ago, when the service was still in beta, some of this raw, unprocessed information was still accessible in the source code of pages for testing purposes.
"Raw data is typically harmless. But it turns out that some credit cards (4 out of thousands in this case) show the credit card number in the raw data. For example, 'Quiznos Inc Store #1234 from card 4444....' […] Enter Google's cache. Turns out Google indexed some of this HTML, even though it wasn't ever visible on the Blippy website, and was removed from the HTML code months ago," Kaplan wrote on the service's blog.
The start-up company learned of the data leak when the revealing "from card" site:blippy.com search query started being spread via Twitter, and immediately contacted Google to have the information removed. According to a spokesperson for the Internet search giant, the problem was fixed in a little over two hours.
Of course, this is not the first time when credit card numbers have shown up in Google search results. Back in March last year, an Australian IT technician discovered a Google-cached Web page listing complete details for around 22,000 credit cards.
Compared to that incident, the Blippy leak, which affected only four cards, might seem insignificant. However, the lesson here is to take all possible sources of accidental exposure, including search engine crawlers, into consideration, when working with sensitive data on live systems.
"We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again. We recently raised $11.2 million from investors and are using a significant amount of that to build a world-class, secure infrastructure. We are also conducting third-party security audits, and will be a lot more careful before new features are released, even if it's during a small, limited beta test period," Blippy's Kaplan promises.