Blippy's blooper: Social networking site leaks consumers' card data
Goof rekindles debate over how much private data should be public
By Brad Allen
Blippy, a social networking site, was too gregarious with some of its users' financial data, revealing credit and debit card numbers of eight individuals on the Google search engine.
Blippy has apologized, but the incident rekindled a debate over the role of privacy on the Web.
Blippy.com, which bills itself as "a fun and easy way to see and discuss what everyone is buying" allows members to register their credit and debit cards as well as accounts on sites such as iTunes and Netflix. The site tracks and reports to other members of the site where they shopped, what they bought and how much they spent. Members can decide how much information they want to share each time or they can have all their transactions automatically reported.
Late on April 23, online news sites reported that some Blippy members' credit and debit card numbers were available via a simple Google search. That led to a weekend scramble to plug the leak. In a blog, Blippy CEO and co-founder Ashvin Kumar admitted to "technical lapses" that allowed the sensitive information to get out and sit on Google's site for the previous three months. While the compromised data covered only about half a day's worth of transactions and affected a total of eight members, Blippy had Google scrub all Blippy-related snippets, about 20,000 pages.
The site issued a five-point plan to beef up security and reported that the firm will work with the affected users "to assist them in resolving any issues that may arise out of this unfortunate situation."
Privacy debate rekindled
Case closed? Not exactly. Consumer advocates used the case as an opportunity to urge caution in revealing information about your credit card use.
"It's a remarkably bad idea to tell the general public where you are using your credit card," said Gail Hillebrand, senior attorney at the Consumers Union defendyourdollars.org project. "You're buying yourself a headache by exposing credit card usage."
Credit card companies use fraud monitoring procedures based on your normal pattern of spending, Hillebrand pointed out. Allowing a "fraudster" to track your spending habits could arm them with enough information to figure out ways to slip by the fraud monitoring system, she warned.
She also pointed out that debit cards can create more complex issues if compromised. With a credit card, "you haven't paid yet," and have the chance to dispute charges when your bill arrives. But with a debit card, the money is taken, quickly and directly, out of your account. "You're missing dollars. Now, the rent check is bouncing."
In reality, the financial risk is small, since most banks have zero-liability policies that cover fraudulent activity for both debit cards and credit cards. But even so, it can still be a big headache for victims, who may need to get a new credit card as a result.
Credit card transactions are a gold mine for cross-marketing. It gives marketers so much information on what your shopping patterns are. Why would you voluntarily give that up?
|-- Chi Chi Wu
National Consumer Law Center
Card data 'a gold mine'
"Credit card transactions are a gold mine for cross-marketing. It gives marketers so much information on what your shopping patterns are. Why would you voluntarily give that up?" asked Chi Chi Wu, staff attorney at the National Consumer Law Center.
"We have all these advocacy fights trying to help people keep their information private and personal," she said, pointing out that really personal information shows up on credit cards -- including doctor visits, cell phone service providers and life insurance payments.
"These people are voluntarily giving it up. I'm just so perplexed by that."
Nonetheless, Wu said that if their credit or debit card information compromised by such a social networking site, "they have rights under credit card law."
In a post on Blippy's blog, co-founder Kumar said, "We are very sorry ... This is a very serious issue and simply apologizing is not enough. We've spent the last 48 hours working around the clock to dissect the issues, reach out to affected users, and put together a plan to ensure this never happens again."
What to do
What should you do if you suspect your credit card number may inadvertently be out over the Web?
Monitor your credit card statements and bank statements. It could be several months before fraudulent activity hits your account. You may also consider putting a credit freeze on your account, which will prevent anyone from opening a new account in your name (but will not prevent fraudulent charges on your existing account). If you find that your card has been compromised, it's time to get a new one.
Check with the vendor responsible for allowing your information to leak to see if they will pay for the credit freeze or for issuing a new card. Often, issuing banks will charge the company that corrupted the credit card information to pick up the cost of issuing a new card, Wu said.
See related: Affluent are more often victims of ID theft, report shows, 10 ways to protect yourself from data breaches, Must-know ID theft terms
Published: April 26, 2010
Three most recent Legal, regulatory, privacy issues stories:
- 6 ways to thwart pickpockets – Cybercriminals and data breaches get all the headlines today, but don't forget low-tech, fast-fingered pickpockets are still out there, blending in the crowd, eager to snatch your wallet ...
- U.S. Bank refunds $48 million for add-ons – The Consumer Financial Protection Bureau extended its crackdown on bank add-on products to U.S. Bank, which charged for credit protection products that consumers didn't always receive
- Fed holds course toward rate hike in 2015 – The Federal Reserve indicated that it will keep interest rates at historic lows for the time being to support the job market, but higher rates are coming ...