As I mentioned in Sunday’s post, Blippy’s founders were hammering out a new security plan to assure users that all their information, especially their credit card numbers, would be safe. They delivered this morning, in their latest blog post, issuing new details about the blunder, how it worked with Google, and the framework for a go-forward plan. In addition, Blippy sounded more contrite about the situation. On Friday their post said, “it’s a lot less bad than it looks,” this Monday the tone is less defensive and more apologetic: “However, this is a very serious issue and simply apologizing is not enough. We’ve spent the last 48 hours working around the clock to dissect the issues, reach out to affected users, and put together a plan to ensure this never happens again.”
The new security plan is a five-pronged effort:
After reaching a resolution, we spent today working on a go-forward plan to ensure that this never happens again.
1. Hire a Chief Security Officer and associated staff that will focus solely on issues relating to information security.
2. Have regular 3rd-party infrastructure & application security audits.
3. Continue to invest in systems to aggressively filter out sensitive information.
4. Control caching of information in search engines.
5. Create a security and privacy center that contains information about what we are doing to protect you.
The security of our users is our highest priority. If there are additional measures you would like us to take to improve Blippy’s security, please do not hesitate to email us at firstname.lastname@example.org. We will personally respond to each and every recommendation.
Reading this list, I wondered why some of these measures were not implemented on day one. They’re a small start-up, so I understand not having a designated Chief of Security yet, but they should have had a security and privacy center (because of the high volume of sensitive information) and a closer relationship to search engines. Of course, that old cliche: better late than never, certainly holds true here. Conclusion, it’s thin on details but if executed properly, it could go a long way in restoring trust and persuading new users to come on board.
For their full post, click here.