While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it's a lot less bad than it looks.
This could have been phrased a bit better to include an actual apology. It's pretty easy to do: "Several months ago Blippy's limited beta test leaked data about four customers, including their credit card numbers. That is totally our fault. We have apologized to those four customers personally and have taken steps to make sure it cannot happen again. The site currently does not leak data, but those four customers' numbers are still visible on Google searches. We are working with Google to correct this and expect it to be resolved in a few hours.
Here are the improvements Blippy has made to deserve our customers' trust:"
[Edited to add:
The Japanese salaryman in me would suggest that the CEO sign this post. Phrasing might include "This was ultimately a failure of our internal quality controls, because it should have been caught several times before this data was exposed publicly. I take full responsibility for the lapse and have begun..."]
Culturally, in Japan, the title for the CEO (often) literally means "Person With The Highest Responsibility." (最高責任者 -- all the other CXOs are "Person with the Highest Responsibility For [Information, etc]") Within the company, I'm sure some junior engineer is going to get a royal chewout today, but to the rest of the world, the company is an impenetrable mass. When an employee screws up, the company has screwed up, and when the company screws up, the CEO (or division chief or whomever) apologizes because his job is managing the business such that it does not screw up.
When done well, I think this is one of the most emulation-worthy bits of the Japanese corporate culture. It sends a message internally that you will always back your people come what may, and externally that you're worthy of the trust your customers, shareholders, and business partners place in you.
You made a very public mistake -- apologize, wholeheartedly and genuinely, and accept responsibility. That's it!
Making it seem like it's not a big deal makes it come off defensive, unprofessional, and like an excuse..
Now is not that time for that -- use the mitigating details in a follow-up post that highlights your progress and what you've implemented to ensure it never happens again. Don't do it now.
Phil is non-CEO due to historical accident (I think he was CEO of adbrite still when blippy was launched and maybe it would have looked bad?).
are we still seeing the cc number?
What would you have liked to see from them? Prostrating themselves before you for revealing someone else's credit card data?
* Someone finds a small isolated mistake,
assumes the absolute worst
* Rumor, misunderstanding, exaggeration, sensationalism
* Opinion, how could they be so stupid, it's *so* simple!
* Over-reactionary moralistic boycots start
"Well I for one won't stand for this, who's with me!"
* One-upmanship starts "Well I for one want the CEO to apologise"
"I think the only decent thing is for them to cease trading".
"Lets start an anti-<company> website!". This is war.
* Sheep all join in and circlejerk for a while.
* News that the original premise was in fact wildly exaggerated
or just plain incorrect, gets lost in all the noise.
I'm not really sure what you're referring to. I haven't assumed anything, publishing credit card numbers is about the worst thing you can do when dealing with people's financial credentials. Maybe you don't think it's a big deal, but I'm sure you're not one of the people who's card information was being plastered on the internet.
Additionally, I don't think I was being sensationalist - when this posting first went up there was no apology, just a long explanation of why this wasn't a big deal.
I wasn't being moralistic, made no demands, nor did I exaggerate anything.
I've been here just as long as you have (longer, actually; but who's counting, right?) so you can save the reddit comments.
Pretty much guarantees I'll never use this site.
The same kind of people that go hunting for credit card numbers online?
"Thank you for reading. Philip Kaplan, co-founder"
It would not have occurred to me that the number might even be in the raw data. Sounds like the supplier is violating PCI. (That doesn't apply if the supplier is the card company or issuing bank--PCI is just something they require others to follow. They hold themselves to a much lower standard).
If you get past your expectations about their attitude, they are being pretty forthright about what actually happened; in many more contrite disclosures, you don't get this level of detail. I appreciate the detail.
I'd like to see something other than the standard "now we're getting third-party security audits" platitudes. For instance, I'd like to know that they have a software security person on staff now, since they're clearly dealing with credit card information that they don't fully understand.
I'm glad they candidly told us about what went wrong. There's an important lesson to remember about how everything put on the web can be indexed and stored even if it was only up for a short time.
I think companies fear legal repercussions. If you use certain words, you might be taking blame onto yourself in a legal sense and might have someone use that against you in a lawsuit.
I'm not sure about this incident but I definitely sensed that was the issue with the Justin.tv apology.
What other massive security mistakes are lying around in their codebase? Why does this sort of reply give me absolutely no faith that they'll deal with those problems seriously when/if they arise?
Having said that: I think Blippy was a dumb idea to begin with, and this dumb mistake may have been the final nail in the $11-million-Series-A-funded coffin.
I don't like this attitude. Anyway who cares when you have $11.2 million funding