Urgent Notice to Rudder Users
Today, 732 Rudder users were sent alerts via e-mail, which could have potentially included information like account balances, transactions and bills of different users. This issue was not the result of a data breach, but due to a software issue in our program that generates emails. It is important to know that Rudder has “read only” access to your account balances and transactions and we do not store account credentials like user names, passwords, or your personal information like name, address or social security number.
We have confirmed over the span of 10 successive checks that the damage was limited to 732 users. Every user whose information was disclosed is being contacted personally by our team.
All of these communications should be completed within the next 2 hours.
If users have any questions or wish to speak to a Rudder representative, they should call the hotline set up (877) 730-4914 extension 0.
On May 18th, 2009, we made a change to our program that generates custom email updates for each individual user. On May 19th, 2009, due to a software bug, the email program sent out multiple emails to multiple users, which could have provided access to information that related to a different Rudder user. The issue was detected early on, identified and subsequently, all email communications were stopped. However, incorrect emails were sent to users whose email addresses started with either a number or the letters “a” or “b”.
In total, emails were sent out to 732 users (less than 2% of Rudder’s user base). We’d like to reiterate that Rudder has “read only” access to your account balances and transactions. We do not store account credentials like user names, passwords, or your personal information like name, address or social security number.
What we are doing about it?
First, the email alert system has been completely turned off, and the links that log you into your Rudder account have been disabled.
Second, to address the concerns the affected users, we will be contacting them individually to offer them complimentary subscription to an Identity Theft protection service.
Third, we will engage an independent security auditor to survey our systems and identify any weaknesses or risks in our architecture. The security auditor will also look at the human side of the equation and how our internal processes can be likewise improved so as to focus on checks, balances, and prevention.
To be clear however, this was not the result of a security breach, nor was any third-party hacker involved. That said, we are taking every extra precaution.
Users who wish to completely cancel and delete their accounts may do so immediately here https://www.rudder.com/settings/
What data has been exposed?
The e-mails that went out today included access to the following information:
- E-mail address of the Rudder account holder
- Account balances of the Rudder account holder
- Recent transactions of the Rudder account holder
- Bills of the Rudder account holder
What data was not exposed?
Rudder does NOT have access to the following information. Even in the event of a full security breach, it is impossible for anyone to retrieve:
- Full (given) name (unless your name is in the email address)
- Social Security Number
- Account number(s)
- Bank/Credit Card website user names or passwords
Why it will never happen again.
In addition to the security audit, our alert server and distribution system will be rebuilt from the ground up. We will keep you up-to-date on this process, every step of the way. We are launching a Rudder Security Update tumble log here http://rudderupdate.tumblr.com/ to provide these communications. We will also be communicating with users by e-mail and phone, if necessary.
We greatly appreciate the generosity that the Rudder user community has shown us thus far, and for those of you who choose to continue managing your finances with us, we will go above and beyond the call of duty in every aspect of our business in order to regain your trust. Of course this will only happen over time, and we understand that trust, especially when it comes to banking and financial information, is of critical importance.
Again, anyone who wishes to cancel their account and delete all associated data may do so here https://www.rudder.com/settings/.
The online banking industry itself (including companies large and small) has been grappling very publicly with issues of security and privacy for many years. We sincerely regret that Rudder let down our users with this breach.
More than anything, we hope that users do not let this incident discourage them from pursuing the benefits of managing their finances online, regardless of which provider they may use. Improving Americans’ financial health has been our mission since day one, and we continue to believe that this new generation of personal finance management applications, including Rudder, have the potential to change the world for the better.
The Rudder Team