What were they thinking?
In a previous post, I noted a new social networking site called Blippy that basically lets you see what your friends are buying. Maybe if you're too young to remember the dot-com era, that sounds like a perfectly reasonable thing to do. To me it just sounds like a huge privacy problem just waiting to happen.
According the what's posted on Blippy's web site, the problems have already started. In particular, it looks like Blippy incorrectly considered raw transaction data to be harmless at one point, and some of it ended up the HTML on some of their web pages.
Blippy has a five-step plan for making sure that this doesn't happen again:
- Hire a Chief Security Officer and associated staff that will focus solely on issues relating to information security.
- Have regular 3rd-party infrastructure & application security audits.
- Continue to invest in systems to aggressively filter out sensitive information.
- Control caching of information in search engines.
- Create a security and privacy center that contains information about what we are doing to protect you.
These steps look like a good move in the right direction, but why weren't these done in the first place? And with all the news about PCI DSS these days, who could possibly have thought that credit card transaction data wasn't sensitive and needed to be protected?