Blippy Snafu Sends Advertising Agencies Warning
The data security debacle that landed consumer credit card data in Google search results and "raw transition data" in the HTML code on some Blippy pages should serve as a warning to the advertising industry as it becomes more entrenched in technology. Some traditional marketers don't fully understand the consequences.
For those who sign up for the service, Blippy shares purchases with friends. All of them. Blippy Co-founder and Chief Executive Officer Ashvin Kumar wrote in a blog post Monday that the company noticed the error as early as February, calling it a "technical oversight" that exposed data. Apparently, entering the search term "site:blippy.com + outstanding" into a Google query returned the credit card numbers and recent purchases of some Blippy members. "We incorrectly considered raw data fairly harmless," he wrote.
The Blippy's data breach demonstrates how easily a software coding error or poorly configured system can expose valuable and damaging data about a company and its clients, according to E.J. Hilbert, president of Epic Advertising's Online Intelligence Division.
Hilbert, who served as director of Security Enforcement for MySpace, and a cybercrime Special Agent for Federal Bureau of Investigation, says as soon as hackers discover a breach like Blippy, they do everything possible to gain other information from the breach, as well as determine the havoc they can wreak.
"Data that a company does not find valuable may, in fact, be incredibly valuable to someone else," Hilbert says. "Any company that collects data about clients, customers or employees needs to make sure they secure and protect that data as if the data was about the company CEO, president or other high-level executive prior to going live with their product."
Online Intelligence offers antifraud and anti-abuse services to parent company Epic Advertising. The unit looks at how Epic client's data is controlled, used, and pushed through and makes recommendations. The advice includes protecting the consumer data from clients, such as credit card data and personal information gathered during advertising email campaigns and promotions. Most agencies don't share enough client data with security firms to protect customer data and guard against click fraud.
Some companies are putting into play methods to protect data, but many aren't thinking that way, Hilbert says. "They don't realize the significance," he says. "Obviously, the FTC thinks it's significant. Ad agencies will need to find a way to protect the data."
In early 2000s, when major companies were getting hacked into and credit cards being stolen, Congress decided the payment card industry needed to develop a process to protect consumers. So they created PCI Compliance, a set of rules protecting the use of payment cards, who can use what data and how.
The most profitable use of hacking is spamming and advancing malware, but errors similar to the one that happened with Blippy will also rapidly become a lucrative business if companies don't pay more attention to protecting consumer data collected from advertisers or third-party aggregators. "Information is information, and if you're smart enough to know how to use it, the data becomes very important," Hilbert says.
Online Intelligence will launch in the next few weeks software that enables companies to spider the Web to identify the advertisement related to the independent marketers or affiliates that own it. Hilbert says the software will also identify spyware or malware, as well as provide services to advertisers or celebrities to protect brands.
Hilbert wants to educate others that support advertising agencies and clients because Online Intelligence can't protect them all. "Online advertising is mainstream; it's not something you play around in," he says. "Every major company needs to be in it. And being in it means you must protect your clients' data."