Yeah - all the relevant details are in there, and he's technically right about the CC# liability bit, but the last way you want to come off in a situation like this is "it's not all that bad..."
Well, it does at least show that the title of this news story is sensationalist link bait.
Some times people mess up. But there's a difference between "oh oops in the beta period we didn't realize that banks put credit card numbers in descriptions :/ and we didn't realize Google would index that. 4 people were affected and we're sorting it"
and
"We routinely share credit card numbers!!!"
Personally I'd give them a break about it. They're probably feeling pretty crappy about it all already without people blowing things out of all proportion. (This is one of the worst things about the internet IMHO - blowing tiny things up into mammoth proportions through rumor, misunderstanding and incorrect assumptions. And always assuming everyone is evil).
Out of proportion? Sure at least in the US you are protected from credit card fraud assuming you take the appropriate actions.However, such a problem on their end shows a lack of attention to security and while this may be an isolated incident it reveals a lot about how the company acts and prioritizes their responsibilities to their users. People like to repeat their mistakes, especially when they don't have the necessary resources, whether it be time, man power, money or something else, to correct them therefore I doubt this is the last serious blunder they will make and that is reason enough for me to avoid them.
* They got some data
* The data has a "description" field
* They naively displayed that description field
* They then found to our horror that sometimes this
description field contains CC numbers :/
I don't think you can really blame them too much for that.
It would be another story if they were actually storing CC numbers and 'accidentally' published them, but that doesn't seem to be what happened.
It's only 'not that hard' if you know that the numbers are going to be there. Perhaps the Blippy folk have never seen or heard of a credit card company that puts the card number in the description field. I certainly haven't. Have you?
It seems like a ridiculous idea, and while it makes sense in some corner cases, I'm not surprised that they missed something that was only a problem for four users ever.
Perhaps what we should be doing here is asking why Google kept a cache of months-old HTML instead of updating their cache instead?
I agree with your first statement, which is one of the things the Black Swan theory is about (love the book, def. recommend reading it): that you don't know what you don't know.
To that I would say, one should be very very very paranoid about what you print, given that you know that you're printing things from people's credit card bill statement.
Blippy shouldn't have output'd the cc numbers, whether or not Google caches it or not is a secondary to this. Note that Google's cache wasn't explicitly out to get Blippy, they just happened to cache whatever Blippy was emitting.
Some times people mess up. But there's a difference between "oh oops in the beta period we didn't realize that banks put credit card numbers in descriptions :/ and we didn't realize Google would index that. 4 people were affected and we're sorting it"
and
"We routinely share credit card numbers!!!"
Personally I'd give them a break about it. They're probably feeling pretty crappy about it all already without people blowing things out of all proportion. (This is one of the worst things about the internet IMHO - blowing tiny things up into mammoth proportions through rumor, misunderstanding and incorrect assumptions. And always assuming everyone is evil).