Personal finance Managers (PFMs) are the hottest property in Finance 2.0 at the moment. The likes of Mint, Wesabe, Quicken, Buxfer, Thrive etc. (sorry if I missed any of you out, but it’s probably for the best once you read on!) have been beavering away for a year or two now, polishing their tools & marketing messages, and have started to break into the mainstream with credible propositions. Their modus operandi is predicated on the ability to aggregate, analyse and present (in a sexy web 2.0 UI) a user’s personal financial data (i.e. bank account, credit card, brokerage account etc.), advise on improvements, and in some instances, execute against those recommendations. So far, so good; we could all do with that sort of help.

But lets take a step back a bit. How is this data aggregation achieved, and what happens to the data once it’s been grabbed by the PFM? Depending on which PFM you use, the answer ranges from good to bad. Yodlee is the power behind many of the PFMs, and uses what many IT security professionals regard as a security nightmare technique called “screen-scraping” to achieve data aggregation. Yodlee relies on the user to physically hand over log-in credentials for their financial accounts in order to crawl the websites of financial institutions and literally grab the data right off the web page. Does this breach the user’s terms of service for online banking etc? In it’s purest sense, probably. Does this mean the user wouldn’t be ‘covered’ in the event of a subsequent fraudulent use of that online banking service? Maybe. Some of the PFMs try to avoid this issue by keeping the log-in credentials on the user’s desktop (step forward Wesabe; take a bow), but is this enough to keep your personal financial data secure and for your eyes only?

Well, according to twitter user @adambassador, the answer as of about an hour ago is most emphatically no. And here is why:

Rudder messed up

In truth, this was an accident just waiting to happen. The question now: is this just a one-car-wrapped-around-the-lamp-post deal, or are we looking at a Rudder trainwreck?

Looks, unfortunately, as if the answer might be the latter. Ten minutes ago, twitterer @adietz wrote “Getting stacks of emails from rudder.com for accounts that aren’t mine… Thought I would close my account but I can’t log in. Boo Hiss.”So, that’s at least two users who have received a bucketload of email containing other people’s financial data, maybe even yours…

…and no-one is answering the phones at Rudder HQ; I got put through to an answering machine. I’ve tweeted Rudder CEO Nikhil Roy @nikhilroy but no response yet. I’ve also emailed Rudder support for their comments. It’s gonna take a monumental PR effort for Rudder to survive this if the news breaks to a wider audience, and the collateral damage to the other PFMs may result in a number of further fatalities.

This doesn’t look good.

ADDENDUM: I’m certainly not suggesting this is attributable to the data aggregation services these PFMs use; this looks to be fairly & squarely a Rudder cock-up. For the record, Rudder doesn’t use Yodlee for data aggregation; they have a relationship with another aggregator called Cashedge. The purpose of mentioning these data aggregation services & techniques in this post is to provide a fuller picture of the perils & pitfalls of handing access to personal financial data to third parties.

Updates

UPDATE: On May 15th, @adambassador tweeted that Rudder was showing the wrong balance for his checking account, and it’d been like that for 4 days. It’s getting worse; I really did think this was just an automated email problem, but now it looks like there may be data issues too.

UPDATE 2: @alirtsman tweets that “rudder.com just accidently sent me dozens of confidential statements belonging to other customers. time to switch”. Hitting the fan, Rudder; better do something quick…

UPDATE 3: On May 7th, Rudder CEO Nikhil Roy @nikhilroy re-tweeted a link to an article: “Want To Position Your Start-Up To Be Acquired?” Oh dear, this is turning into a real Tommy Cooper moment, Nihil…

UPDATE 4: This from Rudder’s FAQ; hilarious:

“If you’ve signed up for Rudder and you’re not receiving emails, it’s not your fault. It’s the fault of the hysterical legislators who write anti-Spam laws that don’t differentiate between legitimate services like ours and blatantly false (though still tempting) advertisements for penis elongation. The information below will help you correct your email settings in various browsers, thereby ensuring that the life-changing power of Rudder lands in your Inbox instead of your junk mail. Also included are instructions on how to unblock images so you can enjoy Rudder in all its glory.”

To my knowledge, I don’t think any spammer has managed to email pictures of my pre-op tumescence to another individual.

UPDATE 5: If you are a Rudder user, this is the type of personal data they are emailing to other people right now (screenshot courtesy of @adambassador):

content of one of Rudder's erroneous emails

UPDATE 6: @aaronaiken also tweeted: “Rudder.com seems to be having problems”, but that’s nothing compared to what “Dave” has commented on below! Oh dear, Rudder meltdown…

UPDATE 7: Rudder’s Privacy Policy states that users must “…agree to (a) immediately notify Rudder of any unauthorized use of your password or account or any other breach of security”. What happens when they appear to be the cause of the breach? Well, don’t bother trying to phone, tweet or email them; they don’t reply…

UPDATE 8: Game’s up; Mashable & Techcrunch have run the story, and Rudder’s CFO Nikunj Somaiya has come clean (see 2nd paragraph). Other PFMs now scrambling to contain the fallout.

FINAL UPDATE: Over 700 users were compromised by Rudder’s security breach (that’s just under 4% of their user base – based on numbers before this happened, of course!). The breach was caused by an attempt to fix a problem with daily email updates to users, which were being caught in a Yahoo spam filter. Unfortunately, the fix wasn’t tested properly, and each user ended up getting everyone else’s updates too, until Rudder realised their error and shut down the email system. The story is about to trend on Twitter, but Rudder still hasn’t made any effort via their website to tell users what is going on. Users who have either  received 100s of sets of sensitive financial data or have had their own data exposed, have not been contacted by Rudder, either!

Related posts:

1. Looking back at Finovate Start-up 09
2. Live from Finovate Startup 2009