My good friend Andy Willingham today celebrated one year of blogging. Andy, thanks for a year of sharing ideas, insights and your passions! If you’re not currently reading Andy’s Blog – you’re absolutely missing out. To celebrate a year, he pointed out that FaceTime recently experienced an unpleasant situation where customer information was disclosed. I think many of us realize that no one, and therefore no company is perfect. FaceTime has proven that – and I think Andy presented a balanced view of the situation.
I think in life, the measure of a person is how they address and handle mistakes. I think in business, the measure of a company is not whether a mistake/breach happens, but how the company handles an incident when it happens. We can split hairs over whether this constituted a breach or not. Regardless, customer information was at risk; customer information was disclosed. It’s not clear to me why that information would have been stored on the webserver, but I’m also not familiar with their architecture. Without question, on the scale of public outcry, this is and should be almost a non-issue. Almost.
While I suppose this isn’t exactly the type of event you want to incorporate on the front page of your website, the only public response I could find was in the computerworld article. From what I read in the Computerworld article – FaceTime acted quickly and even notified people impacted. Yet, I was bothered by this response:
However, Capri said no sensitive personal data such as credit card numbers, Social Security numbers or dates of birth was exposed because that information is not collected on the FaceTime Web site.
It’s a fair and valid statement to make. I supposed I would advise a client to make a similar statement, save one exception: I’d leave out the aspect of tying personal information to a limited set of data. I’m troubled by the concept that if it wasn’t a social security number, credit card number or something of the same that no personal information was disclosed. Information of any kind has value – and while this was probably a mistake, I would expect a security company to have taken a different attitude.