Personal finance start-up Rudder suffers security lapse
21 May 2009 | 6489 views | 0
Houston-based personal financial management start-up Rudder has inadvertently exposed the private account details of hundreds of individuals to other users of the site.
Daily account updates sent to two percent of Rudder's active users also provided a direct link through to the accounts of hundreds of other subscribers, where visitors could view balance updates and transaction information relating to personal bank accounts, credit cards and bill payments.
Rudder says that in total 732 accounts were compromised, but that no bank user names, passwords, addresses or other personal identity-based information were exposed.
In a statement posted on its site, Rudder says: "This issue was not the result of a data breach, but due to a software issue in our program that generates emails. It is important to know that Rudder has "read only" access to your account balances and transactions and we do not store account credentials like user names, passwords, or your personal information like name, address or social security number."
As a precautionary measure, the company says it will be offering a free identity-theft service to all compromised Rudder members.
Finextra verdict Competitors such as Mint and Wesabe might be rubbing their hands with glee at the prospect of picking off defecting Rudder subscribers, but this security lapse reflects badly on the entire sector. Mint for one has recently been talking about charging commercial third parties for access to aggregated anonymous consumer spending data. Like Rudder, Mint doesn't store names or account numbers - and there's no danger of individual account compromise - but subscribers might revolt at the idea that details of their personal spending habits are being sold on to the private sector.