Mint.com Leaves a Bad Taste in My Mouth

Mint.com is a great website in a lot of ways. It's great to be able to track all your financial data in one place, it has a really nice user interface, and it's free. But when a company has access to so much of your sensitive data, it is an understatement to say that they need to be really careful with that data. Today Mint did something to lose my trust forever, something that led me to cancel my account immediately. Early this morning I received six blank emails from stage-mini@mint.com. Being in the business, I immediately recognized that this was likely coming from Mint's staging (test) server. I went to their support forums, searched for this issue, and found this thread. I was the eighth person to comment and now there are over 200 comments and counting. The main frustration seems to be with the fact that Mint tried to reassure users that no customer data is stored on the test system from which these emails originated. That begs the question: then why did it store our email addresses?

The websites I work on store far less sensitive user data than banking and credit card information, and yet we never EVER store real user email addresses (or mailing addresses or passwords) in our test environments. The fact that Mint screwed this up reveals a major lack of competence in the area of security. And security needs to be their top priority, or at the very least a core competency. If they aren't getting this right, what else aren't they getting right? Consequently, I cancelled my Mint account just about as fast I as could.

The lesson here is not so much that companies shouldn't store real user data on their test systems, but that if they do, they need to clearly communicate that to customers. If Mint had said, we store no customer data in our test systems other than email addresses, I may have questioned why they needed our emails on the test environment, but I still might have trusted them. When they said they stored NO customer data on stage, and yet somehow that environment had my email address, well, then all trust is lost.