Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X
Post

Urgent Notice to Rudder Users [email]

The following message showed up in my inbox this afternoon. Because I’ve written about Rudder in the past, I figured that it was best that I also share this email. I think it is very respectable that they were so quick to admit the wrongdoing and show their plans for preventing it from happening again. What do you think?

Today, 732 Rudder users were sent alerts via e-mail, which could have potentially included
information like account balances, transactions and bills of different users. This issue was not
the result of a data breach, but due to a software issue in our program that generates emails. It is
important to know that Rudder has “read only” access to your account balances and transactions
and we do not store account credentials like user names, passwords, or your personal
information like name, address or social security number.

If you have questions or wish to speak to a Rudder representative please call our hotline at
1 (877) 730-4914 extension 0.

What happened?

On May 18th, 2009 we made a change to our program that generates custom email updates for
each individual user. On May 19th, 2009, due to a software bug, the email program sent out
multiple emails to multiple users, which could have provided access to information that related to
a different Rudder user. The issue was detected early and subsequently all email
communications were stopped. However, incorrect emails were sent to users whose email
addresses started with either a number or the letters “a” or “b”. In total, emails were sent out to
732 users (less than 2% of Rudder’s user base). We’d like to reiterate that Rudder has “read only”
access to your account balances and transactions. We do not store account credentials like user
names, passwords, or your personal information like name, address or social security number.

What are we doing about it?

First, the email alert system has been completely turned off, and the links that log you into your
Rudder account have been disabled.

Second, we are offering affected users a complimentary subscription to an Identity Theft
protection service. The details of this offer will be made available later this week.

Third, we will engage an independent security specialist to review our processes and provide
recommendations on controls to prevent anything like this from happening again in the future.

To be clear this incident was not the result of a security breach, nor was any third-party hacker
involved.

Users who wish to completely cancel and delete their accounts may do so by clicking here and
logging in. https://www.rudder.com/settings/

What data has been exposed?

The e-mails that went out today included access to the following information:

*       E-mail address of the Rudder account holder
*       Account balances of the Rudder account holder
*       Recent transactions of the Rudder account holder
*       Bills of the Rudder account holder

What data was not exposed?

Rudder does NOT have access to the following information. Even in the event of a full security
breach, it is impossible for anyone to retrieve:

*       Full (given) name (unless your name is in the email address)
*       Social Security Number
*       Account number(s)
*       Bank/Credit Card website user names or passwords

Why it will never happen again.

In addition to the security audit, our alert server and distribution system will be rebuilt from the
ground up. We will keep you up-to-date on this process, every step of the way. We are launching
a Rudder Security Update tumble log here http://rudderupdate.tumblr.com/ to provide these communications. We will also be communicating with users by e-mail and phone, if necessary.

We greatly appreciate the generosity that the Rudder user community has shown us thus far, and
for those of you who choose to continue managing your finances with us, we will go above and
beyond the call of duty in every aspect of our business in order to regain your confidence.

Again, anyone who wishes to cancel their account and delete all associated data may do so here
https://www.rudder.com/settings/.

The online banking industry itself (including companies large and small) has been grappling very
publicly with issues of security and privacy for many years. We sincerely regret that Rudder let
down our users with this breach.

More than anything, we hope that users do not let this incident discourage them from pursuing
the benefits of managing their finances online, regardless of which provider they may use.
Improving Americans’ financial health has been our mission since day one, and we continue to
believe that this new generation of personal finance management applications, including Rudder,
have the potential to change the world for the better.

Sincerely,
The Rudder Team

  • http://www.justthrive.com matt @ Thrive

    Thanks for posting the letter! It is nice to see them acknowledge that it would be a shame to let this error keep people from using online financial management. It goes without saying that trust is a huge issue in the personal finance space, and in the end, you stake your reputation on your ability to deliver not just to deliver a quality experience to your users and to actually save them money, but also on your ability to protect the money they have. I’d hate to see people swear off the personal finance space in general because of the mistake of a single company – just because the Ford Pinto was prone to exploding does not mean that you shouldn’t drive cars from other companies.

    I am not trying to trivialize this data breech: it is a serious issue. But as a personal finance advisory website, Thrive has helped people spend less and save more. I can look at the data from our site, month-to-month, and actually see real change. So there is real reward to using a personal finance site and I would hate to see people move away from this space simply because of the bad practices of one company. Thrive, along with others in the personal finance space including Wesabe and SmartyPig, bring real value to the people that use them and that is important to remember when evaluating the Rudder incident.

  • http://atcrawford.com Drew

    Like you, I also hope that this faux pas will not discourage people from using online personal finance tools. There is simply too much to be gained from these services.

    I would not be surprised if Rudder lost a ton of users over this, and probably rightfully so. While no personally identifying data was compromised, there was a serious breech of trust. A personal finance service that can’t be trusted is a service that shouldn’t be used. Plain and simple.

This blog has been retired.     Please visit atcrawford.com to find the latest updates...