Hundreds of people who use personal financial monitoring service Rudder woke up this morning to find that their personal bank account, credit card, and other financial data was exposed to other users. One Rudder user, Angie Seaman, told us that she received not only her own daily financial update from Rudder, but also the financial update for about 300 other users (see screen shot above). And not only could she see what was in their emails, but she could click through to their accounts. Seaman was understandably shocked and closed her account (see her full e-mail below). Plenty of other users have been complaining on Twitter as well.
I called up the company to find out what happened. Chief financial officer Nikunj Somaiya confirms that 732 accounts were compromised, or about 3.5 percent of active users. Members whose email start with the letters “a,” “b,” or a number had their account information shared before the company noticed and shut down all e-mail updates. Somaiya says, “We realize this is very sensitive information. We are extremely sorry.” But he also notes, “We get read-only access to balances and transaction. We don’t even store your banking user name and password. We can’t touch your money, nobody can move your money.” Yeah, but hundreds of Rudder members might now know how much other users have in their bank accounts.
It could have been worse. Rudder only lets members keep track of their financial accounts and balances in one place. It doesn’t allow people to access the underlying accounts. It doesn’t show passwords or social security numbers or even real names—unless, of course, you use your real name as your email address, which many people do.
So how did this happen? Rudder’s emails were getting caught up as spam by Yahoo, so all of its users with Yahoo Mail accounts weren’t getting any updates. After talking with Yahoo, Rudder added a new DomainKeys Identified Mail (DKMI) component to its outgoing emails last night which adds a signature to each email that verifies it is coming from a valid domain. But for some reason, “instead of separating the emails, it appended them together,” explains Somaiya. So those 732 users received not only their own financial updates, but also all of the updates from the appended accounts.
Somaiya says Rudder is bringing in a security consultant to go over their procedures and will implement any and all suggestions. But it might be too late. When it comes to personal finance, trust is everything, even if it is just your financial data you are entrusting to a site and not actual transactional capabilities. Will Rudder be able to bounce back from this breach? And will competitors such as Mint also be tarnished with doubt, or will they be able to capitalize on Rudder’s misstep?
Here is Angie Seaman’s email to us:
I’m not sure if you’ve heard this one yet, but this morning I woke up to a really unpleasant surprise. I had several hundred email updates from Rudder, only one was actually intended to be delivered to me.
The rest were to other users. Yes, I got about 300 users’ daily financial update information. I think I would have gotten more had I not deleted my account when it started happening. I got mostly email addresses that started with “a” and “b.” That’s shocking enough. I cancelled my account right away, but then wondered–can these people access my account?
So I clicked on one of the emails I received and lo and behold, it logged me right in as them. Obviously I didn’t do anything with their account but I could have.
There isn’t address information or full account numbers, but it’s pretty unreal that I was able to just access about 300 other users’ personal banking details. I don’t think they wanted me to know they’ll have like $1.83 left at the end of the month and I don’t really want them to know my info.
Update: As a precautionary measure, the company will be offering a free identity-theft service to all compromised Rudder members.
It goes without saying that trust is a huge issue in the personal finance space, and in the end, you stake your reputation on your ability to deliver not just to deliver a quality experience to your users and to actually save them money, but also on your ability to protect the money they have. As noted in the linked article, however, I’d hate to see people swear off the personal finance space in general because of the mistake of a single company – just because the Ford Pinto was prone to exploding does not mean that you shouldn’t drive cars from other companies.
Here at Thrive (www.justthrive.com), we take our users’ data very seriously and are fanatics about security. After all, every single member of our team uses Thrive and so do our friends, family, and loved ones, not to mention all the people that use Thrive every day to get personalized advice and help with their finances.
To provide some perspective on this incident, think about your bank. They could make the same mistake Rudder did and expose a great deal more information to the public. In the highly unlikely event that someone managed to hack Thrive (white hat hackers haven’t managed it yet), they would not be able to actually move your money. No bank passwords and user names are stored on our system. You cannot move money from within Thrive. Really, someone could get more information about your bank accounts (including your actual account number) by stealing the well-marked bank statements that arrive in your mailbox, and for far less work.
I am not trying to trivialize this data breech: it is a serious issue. But as a personal finance advisory website, Thrive has helped people spend less and save more. I can look at the data from our site, month-to-month, and actually see real change. So there is real reward to using a personal finance site and I would hate to see people move away from this space simply because of the bad practices of one company. Thrive, along with others in the personal finance space including Wesabe and SmartyPig, bring real value to the people that use them and that is important to remember when evaluating the Rudder incident.
I also hope this doesn’t deter people away from online banking. Though, realistically, they have every right to stay away from such sites. When you really break it down, whether or not your website carries sensitive data or not, users want that data protected and when a companies violates that trust, users will back away. This is one of the many reasons it is very hard to get older people to begin online banking, they don’t trust it and with good reason.
Well these are not a good days for Internet privacy.
In addition, Rudder news, the latest news from Mint is selling user information to third parties, according to Bloomberg.
http://www.bloo...id=aWJnLqF0Y8zs
“If Mint has a record of everything people have spent in the past and the record of what they want to spend in the future, that’s a pretty damn good position to be in,” Patzer, 28
What in the world is the world coming to? Where are the companies that are standing up for user privacy? Has the entire Internet turned evil?
Well, as Tim Berners-Lee once said, in difficult economic times, the temptation of Internet companies to abuse their users’ private information for quick profit is just too great.
I am sure we will be seeing more of these scandals in the weeks ahead.
Companies are always tempted to do evil for short term gain.
So, while having information on third party servers has obvious advantages … you really need to beware. Perhaps doing your finances locally on Quicken, not giving out your personal details to third party sites, and searching the Internet through Yauba are not such bad ideas after all.
They’ve been talking about this for awhile and may already be doing it, as it is not specifically prohibited in their privacy policy and terms of service.
At Thrive, we’ve taken this option off the table. The primary outlet to sell data to is people that want to use it to market to you better, which is just code for “make you spend more money”. Since we’re here working to make it easier to spend less and save more, we view selling data as a clear ethical violation and one we’re simply not willing to consider.
There are many ways to make money in the world, and we think that we can keep Thrive here and working for you, based on revenue that is generated when we help people. It won’t make us rich, but it keeps the lights on and the servers running.
What in the world is the world coming to? Where are the companies that are standing up for user privacy?
Well there is
EFF
Stanford Center for Internet and Society
Tor
Yauba
Wikileaks
If you weren’t so lazy to look around, you would see that there are plenty of alternatives out there.
Calcisi:
To be fair, that article does not say that they ARE doing it. Just that they’re considering it. I’d imagine that right now they are crunching the numbers to see how much info they can sell vis a vis people deleting accounts. I’m sure they’ll find a sweet spot.
As for your penultimate question, you should read your own link. The answer is in there.
Whether they do it or not, I deleted my Mint account after reading this debacle.
It’s anonymous but only if you don’t use your real name in the email tied to your account on Rudder. Why would someone use their real name for such an important account?
You can promise or guarantee a better service or whatever marketese words you offer, but software glitches can always happen unexpectedly to anyone for various reasons, mostly human error. Take Google for example…you may have heard an error in its service recently this week.
Sure, human error does happen: I spilled tea on myself earlier. But clearly not all companies are the same and different companies have different ways of making sure human error doesn’t occur, particularly with regard to user data.
And for the record, I’m not speaking marketese…I’m actually the Lead Scientist (guy who builds new product ideas) and I’m just straight up telling you what we believe. =]
wow matt, you are now officially an ambulance chaser. good going.
Why, because I’m commenting on something that has an effect on everyone using a personal finance application? I think when these sort of data problems occur, it is important to be talking about the issue. Honestly, I feel bad for the guys at Rudder: mistakes happen, especially in a small company. But what I would really hate to see is people stop using personal finance sites, because they do a lot of good. Not just Thrive, but Wesabe, SmartyPig, etc. The way I see it, it is a bit like the postal service.
People steal mail every day…do you still trust the postal service? In evaluating your usage of a service, you have to understand a) what kind of data can be stolen, b) the likelihood that it will be stolen, and c) the utility of the service. In the case of Thrive and most personal finance sites, a) the types of data stored is restricted, b) the data security is taken seriously, and c) they provide real value to people, often for free. One company’s bad practices should not mean the difference between using and not-using a site, unless you believe that other companies are equally likely to have similar practices.
And so that I think is what I want to be commenting on making sure people are thinking about. PFM can help people and may be a powerful force in changing a very real problem that lurks below many of our larger social issues, and I don’t want to see it fall into disuse because of a human error on one site.
“Why, because I’m commenting on something that has an effect on everyone using a personal finance application?”
No, because you take every opportunity to veil plugs for your own product (OMG THRIVE!!!) as discussion points on *every single PFM post on TC* with your loquacious essays.
http://en.wikip...mbulance_chaser
come on, you’re a senior partner social behavior senior technological scientist researcher esquire, you should know what it is.
*preparing myself for the 50000 word count reply about your benefit to humanity and goodwill towards all*
Matt,
“I can look at the data from our site, month-to-month, and actually see real change. ”
Isn’t that a bit of a breech of privacy in itself? That employees at your company are looking at users’ financial data? What data do you look at? Mind expounding a little to put my mind at ease?
Absolutely. I’m the Lead Scientist here at Thrive, and in trying to create better features for our users, I often look at anonymous user data within the company to help decide how we can modify existing features or build new ones. So, as an example, I can take a correlation between two events, like “how far have user’s spending rates decreased?” and “how often does the user look at their spending goals?” and see whether spending goals are helping people save.
With regard to who has access to data, I don’t have any direct database access, despite being a senior member of our team. I don’t want access; why open up another potential security hole? Instead, I make a request to the Lead Engineer to pull me an anonymous data report with specific variables (in the case I mentioned above, spending rates and number of views of the spending goals page). So he generates a file with just two columns, and each one contains one of those pieces of data. There is no other information in the file, just those two variables. He then encrypts that file, puts it on a USB key, and walks it over to my desk. I plug that key into my data processing machine (which isn’t even on the network, so it is physical access only), he decrypts the file, and then I start to do my data analysis.
So, in summary:
What I see = anonymous data with only the variables of interest
Where it is stored = on a non-networked machine with an encrypted hard drive
In order to get access, someone would have to break into our Manhattan office and take my machine, then try to figure out how to decrypt my hard drive, and in return they’d get a file with two columns and no data that they would find useful.
Is that more clear? Feel free to let me know here, or by emailing me at matt@justthrive.com, or calling us at 1.888.831.4080.
Thanks, Matt. I knew the hawk-eyed would pick up on that.
@matt Do you have the day off from work?
@Dave: No problem. I should have explained more fully – we’re just a data-driven company and we do extensive user testing as well, so I often don’t think twice about explaining why I use the data: it is just a standard part of helping build a better product for them. Thanks for the catch!
@Rob Silver: Nope. I’m actually speccing out a new feature (coming in late June!) at the moment, and keeping TechCrunch open in a side window to drop quick comments. Because I know that people are helped by personal finance sites (data is awesome), I wanted to make sure that one error by a single company didn’t cast doubt over a whole cluster of sites.
“instead of separating the emails, it appended them together,”
So was it Yahoo’s fault or not? Who did the appending?
I think the more important question is: Why trust Yahoo with your financial information, your identity, etc.
Dear Techcrunch,
Kindly blank out the email address of the first entry in the screenshot in this article.
You’ve inadvertently shown the whole world how much he has in his account.
Niyi
suicide.
Here’s the real story: did people complain on FriendFeed too?
I would like to mention that even if they did expose our http://www.worstpizza.com bank account, there wouldn’t be much for you guys to see, so I will formally state here that it is 0!
lol I like the tweet in the middle about the Dutch Rudder from Zach and Miri make a Porno
An utter, utter nightmare for all concerned.
Talk about exposing people… Tweet # 4… Dutch Rudder?!?
F’ing brilliant. Totally just made my day…
Theyre gonna go under…
It must be a nightmare for Rudder’s users. Soon Rudder will be kicked out of the financial banking system. Losing trust, losing customers. Good luck on the way down, Rudder.
It’s read only, so the worst that can happen is someone knows your email address.
sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
same thing happened to me. Not cool at all. I was able to login to someone else’s account, so just closed my account, one would hope that after an account is closed, someone else still can’t view it.
This could happen to any company that does this like mint, yodlee, etc, but I havent’ received an explanation, nothing on their website, etc
Benji,
First of all, I’d like to sincerely apologize for the issue that caused multiple emails to be sent containing the financial updates of other Rudder users.
We have created a post which provides the details of what happened, along with our detailed response to the issue – http://rudderup...ate.tumblr.com/
I’d like to reiterate our apologies to those affected. Although nothing in the email would enable recipients to access bank accounts, withdraw funds or transfer money, our users’ peace of mind is of utmost importance to us. Therefore, we will provide affected users with a subscription to an Identity Theft Monitoring service, paid for by us.
Your trust and security is of utmost importance to us and we will go above and beyond the call of duty in every aspect of our business in order to regain your confidence.
This is serious issue! Though fortunately its read only data. I have signed up in http://www.pageonce.com but now after reading this I’m kind of scared!
Dutch rudder? LOOOOOOOOL.
Pointless web company goes under. Whatever.
As another competitor to Rudder in the PFM space I feel for them and personally know them and they are a good team that has all their users best interests in hand. Trust is huge in the personal finance space and all companies are doing there best to provide not just a great service to manage your money, but to ensure that your money and data is safe.
This is the reason we at BudgetPulse decided to opt for a manual input tool, one that does not sync with bank or personal account information because of fear of an event like this.
There is real value and reward from personal budgeting software and would hate to see others move away from the the personal finance space when so many companies like BudgetPulse bring exception value and safety to everyone. I hope people can evaluate the Rudder crisis as an isolated event and not hold it against the industry.
Craig Kessler
Marketing Director at BudgetPulse
craig@budgetpulse.com
It would seem you’re comparing apples and oranges. How does manual input relate to email notices?
“exception value?”
It’s typos in code that cause problems like this.
The entry barrier into web based services is very low. It takes 2 guys & a garage to start something like rudder or mint.com. They are excited people with good ideas but little clue about running a robust consumer services based business.
I cant believe people take their financial information so lightly that they go around creating accounts at these websites!
I love that the homepage still says “Free and Secure!” and contains no language about resolving the issue, AND that techcrunch’s logo appears at the bottom of it. hah. just to be a little preemptive-yes i know that doesn’t mean its an endorsement, but its still funny because it sorta looks like one.
Well, if they have an in-house PR guy, he’s gonna be a tad busy…I’d love to see how they spin this…
i believe that when it comes to people’s money, you only get to fuck up ONE time – goodbye rudder, sounds like you’ll be in the dead pool within 12 months…i would NEVER even consider this service and will warn away friends after reading this piece…
I wonder how many of those people Twittering about Rudder use the same password for Twitter (HTTP only, no HTTPS option even for login) as they do for Rudder?
Twitter’s lack of HTTPS is a major problem.
There are so many people that don’t even realise that their password is transmitted in cleartext.
Only because it was designed wrong I guess, or was it designed to have a fail mode like this?
I guess no answer is valid, only that someone got it very very very very wrong.
Lets not even consider what access employee’s have and just how far would you trust those kind of developers who had designed it like that.
This is why I don’t use rudder, mint or any of those sites. Do you really want to trust your highly sensitive info with a startup? No thanks.
i remember logging into salesforce once and seeing someone else’s data (sales guy was good – he had cell phone #’s to the daughter of CEO of PG&E) but that was years ago
but this is why I don’t use these young companies just yet – want to see them last a few years then will be on board. Sorry Mint, et all, but having ID theft is a nightmare – takes years to unravel.
This Nikhil Roy the Founder & CEO of Rudder.com
We at Rudder sincerely apologize for the issue that resulted in the financial updates of up to 732 of our users being sent to one another. We have identified the problem, assessed the full scope of the issue and have implemented measures to ensure that it will never happen again.
Although nothing in the email would enable recipients to access bank accounts, withdraw funds or transfer money, our users’ peace of mind is of utmost importance to us. Therefore, we will provide affected users with a subscription to an Identity Theft monitoring service, paid for by us.
In addition, we promise to work tirelessly, from here on out, to restore user confidence.
We have set up a hotline for concerned users to call – (877) 730 4914 extn 0.
Here’s a summary of what happened:
On May 18th, 2009 we made a change to our utility that generates custom email updates for each individual user. On the morning of May 19th, 2009, the first time the emails were sent out after the change, instead of sending out emails to each individual user, a bug in the utility caused it to append several email addresses together. The issue was detected early and subsequently all email communications were stopped. However, incorrect emails were sent to users whose email addresses started with either a number or the letters “a” or “b”. In total, emails were sent out for 732 users (less than 2% of Rudder’s user base). We’d like to reiterate that Rudder has “read only” access to your account balances and transactions. We do not store account credentials like user names, passwords, or your personal information like name, address or social security number.
To be clear this incident was not the result of a security breach, nor was any third-party hacker involved.
We greatly appreciate the generosity that the Rudder user community has shown us thus far, and for those of you who choose to continue managing your finances with us, we will go above and beyond the call of duty in every aspect of our business in order to regain your confidence.
Anyone who wishes to cancel their account and delete all associated data may do so here https://www.rud...r.com/settings/.
The online banking industry itself (including companies large and small) has been grappling very publicly with issues of security and privacy for many years.
More than anything, we hope that users do not let this incident discourage them from pursuing the benefits of managing their finances online, regardless of which provider they may use. Improving Americans’ financial health has been our mission since day one, and we continue to believe that this new generation of personal finance management applications, including Rudder, have the potential to change the world for the better.
Sincerely,
Nikhil Roy
Founder & CEO
Rudder.com
My wife gags at the prospect of aggregators, such as mint.com, for this very reason.
Wow. Epic fail.
Matt
Seems like you have a lot of time on your hands.
Do you spend all your time on techcrunch? You investors should be concerned as all you do is get your marketing spills here.
This could bring a tons of lawsuits especially with personal information involved. I predict this site will not last long. Goodbye ……
I’m sure brendan doherty doesn’t appreicated that you failed to blank out his email address in your screen capture included in this article.
Good catch. Now blanked out.
Uggggg, what a mess. This sort of computer mess really holds everyone back on adoption of online banking and other supposedly secure features.