Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Security Journal

Blog Post

Blippy Credit Card Breach - Lessons for the Future

Startup start from scratch - do it well !!

Are we growing immune to bad news about security breach?

I sure hope not, although it's hard to keep up with all of them.

Did you read about the Blippy Data Breach at http://bit.ly/cyR5aU?

You know, Blippy, that up-and-coming startup that allowed very sensitive information to leak out and then tried to downplay the incident. Not good.  And when their users fled and tried to cancel service, their canceling service went down.  Oops...

Blippy should have known better, too... their business model is based on manipulating very sensitive data - including credit card information. And their value proposition is based on being the custodian of their clients' very personal data.

So for such a company, risk is very high. It is very high based on the nature of the data manipulated, and also very high based on the volatility of Trust that their clients put in them.

Lose data, and you lose Trust. Lose Trust and you lose your customers. And then you fold.

From a Risk Management perspective, security policies and procedures need to support the risk level that the business face.

In this case, did they fall short? Were the following aspects properly assessed when considering the level of risk?

  • Data classification. Their co-founder Philip Kaplan was quoted as saying "Raw data is typically harmless." We know that statements such as "typically harmless" are... typically dangerous!  He then continues "But it turns out that some credit cards (4 out of thousands in this case) show the credit card number in the raw data." Far from harmless then. Did Blippy really understand the nature of the data they were manipulating? Raw data containing all kinds of information concerning purchase, such as credit card number, place of transaction, etc. is actually very sensitive data.
  • Product Management and release procedures. They used real, "raw" data when performing their beta tests, and the functionality was released as is. Is it good idea to beta test with live information? When I was working with financial institutions a few years back, we were already using "John Doe with Credit Card number 1111 2222 3333 4444 bought a widget at YeOl'Shoppe". We used him and his virtual friends everytime we needed to beta test sensitive applications. We never used real, live data.
  • Monitoring of confidential information available in the wild. Blippy acknowledged that the hole was from their earliest days as a startup. "We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test" This means that the data was probably in the wild for a long time, already indexed by search engines, and safely kept by the likes of Google for everybody's viewing pleasure. Is this taking security seriously?
  • Damage control and communication. Their official statement includes "While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it's a lot less bad than it looks."  Yes, this type of Press Release sure « sucks » and is a clear indication that Blippy had no crisis and contingency planning from a communication perspective.
  • Poor capacity planning. As the incident got known, Blippy's users and customers started fleeing and tried to cancel their account. This created a Denial of Service on the canceling service. The official Press Release states that "we had not invested sufficiently in making our account deletion process as programatically efficient as it could be."

So, imagine being a Blippy customer. You sign up for their service, you give away your credit card information, then you give them permission to monitor your purchases and publish them to your friends. Suddenly it is known that some confidential information leaked out. You search Internet and you come across the official statement that if it's your information that leaked out then "it sucks" but "it's a lot less scary than it looks". You decide to cancel service, go to their canceling page and you are faced with a service not available.

Not good. Not today. We've been in the security business long enough to avoid this.

And the "it's a startup" argument doesn't fly either. On the contrary, a startup has the opportunity to take security seriously since the get go and properly start on the right foot.

This is not your fly-by-night startup either.  Obtained $12 million in financing from serious VC firms, they enjoyed a $50 million valuation. I'm sure that after this incident, their valuation took a deep dive.

The good news is that the VCs will not be happy, and there is a chance that the next startups - especially the ones dealing with sensitive information - will pay more attention to security.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.