DebtGoal Responds to Security Breach

I want to clarify, I got this email a few days ago but I haven't been well and haven't posted DebtGoal's reply to my questions due to illness. I requested a more complete reply from DebtGoal about the nature of the problem and how they'd like to respond. I actually received the response on Sunday, and I'm attaching that below.

Here's a response that you can post on the blog. LMK if you think I could be more effective. We really do care about this stuff and work hard to make a great product. We missed something on this one and we learn from it and move on.

********************

Jessica

Thanks for your ongoing coverage of DebtGoal.com. You've been a great supporter and have given us a lot of valuable feedback that has truly helped us create a better service.

As you pointed out in your recent blog post, we did experience a bug last Friday where we sent out a limited number of monthly progress report emails with inaccurate statement data. We traced the issue to a memory buffer error that failed at high volumes to clear after each email was generated. We have implemented a fix for this bug and resent corrected monthly reports a few hours after the issue was identified.

We apologize for the error, as we know that you and our other users put your trust in us to help you manage your finances. As a result of this issue, we are revising our Quality Assurance practices to better detect these issues through automated validation and live error detection. It's never possible to eliminate all possibility of errors, but the changes we are implementing will lead to much more robust releases.

Above all, I want to communicate that we do take quality and security seriously. We will continue to proactively improve our processes and quality. As we're in Alpha release, some of this QA work is done by our users and we remain very appreciative for the suggestions and feedback that we get on a daily basis and thankful for their understanding when things don't go exactly according to plan. Thanks again for your support and feedback.

Scott Crawford
CEO, DebtGoal.com

DebtGoal: How big can a 'glitch' be and still be a 'glitch?'

Today I was shocked to learn that in the past month I've made zero progress towards paying off the balance on my Target Visa card, which sits at a whopping 20% interest rate.

Mostly, I was surprised because I've never had a Target card. I've also never had a credit card with a 20% interest rate. I'm sure you can imagine my shock!

That said, I'm sure someone else was even more surprised when they opened their DebtGoal statement and discovered that they owe USAA the cost of roughly one month in Africa plus airfare for three. (Sometimes I still surprise myself).

As it turns out, a "glitch" occurred in DebtGoal's system that mistakenly sent someone else's statements to "a limited number of users."

Thankfully, DebtGoal doesn't actually collect account numbers, and I didn't receive any identifying information about the person whose statement I received. I communicated with DebtGoal and was told it was an error, which affected only some of their users, and a few hours later received an accurate statement.

It did get me reconsidering though. I leave all of my organizing to the Web. I'm responsible for little file storage or organization of actual "paper" some free Web service is out there for everything. My digital photos are all stored online (presuming this to be FAR more reliable than my hard drive or a DVD my kids are likely to turn into a school construction project).

According to an article from TechCrunch in April, Facebook, Twitter and Google Documents have all recently had similar breaches. I myself have experienced mis-directed Twitter tweets, and even some people have complained of trying to view my profile and getting someone elses' (usually SPAM-intense or otherwise offensive) profile.

Just how much faith should we have in the cloud? What can our providers do to ensure that we won't have our personal information or bank account balances eventually being tied to our google profiles because of some security "glitch."

Which brings me to my last point...someone must distinguish the lines between a security "anomaly," "glitch," "error," "leak," and an all-out "hemorrhage."

Don't be mistaken, I'm not unhappy with DebtGoal, they didn't release sensitive information to me, mostly just confusing. I don't think they even store sensitive data (their structure wouldn't require it). That said, other sites I use regularly do. Sometimes I use a favorite site like Amazon, Paypal or other to see what my credit card number actually is--as I shredded it a few months ago. If they're the only ones that still know my credit card number, I really want to make sure its safe. Exactly how much should we be trusting "the cloud?"

Update: DebtGoal responds to security breach

Jessica Ward is a freelance writer from Seattle. She writes on personal finance, technology and family. To learn more, visit www.jessicaward.me or follow her on Twitter at @jessc098