Moonpig, a large supplier of personalised greeting cards, recently was faced with a serious cyber security flaw. More worrying is that the online company had more than 18 months to fix the flaw, without any subsequent action taken. According to consultancy firm Moorhouse, this kind of error can be disastrous not only for clients whose information ends up on the street, but also for companies whose reputations can be trashed – the moral of the story, take cyber security serious.
Ripe for the harvest
Moonpig, founded in 2000, is the largest online personalised greeting cards store in the UK, in 2007 they had a 90% market share and shipped nearly 6 million cards. In July 2011 they were bought by PhotoBox. Early in January 2015 a program developer, Paul Price, voiced his frustration on his blog about Moonpig’s repeated failure to close a major and simplistic security flaw in its customer application programming interface (API). Through the flaw up to 3.6 million customer records, including every account and the names, birth dates, and email and street addresses could be accessed by simply changing the customer identification number sent in an API request. There was also no script-limiter, so a hacker could theoretically write a script that quickly and systematically would check and harvest the personal information on every account number with a range. What’s worse is that financial data, the last four digits and expiry date of credit cards associated with accounts, was also available. A potential treasure trove of personal information for hackers and marketers alike.
Richard Brackstone, Director at Moorhouse, comments on the issue of data security related to the case: “Digital companies have grown rapidly over the last two to three years and a vast amount of data is being submitted to and transferred by them for marketing and sales purposes. Data is both the property of the company you give it to and a B2B currency; often to access services, terms and conditions must be accepted, and these usually include giving up a number of rights on privacy of information.” The issue, according to Brackstone, is that growth in data storage has far outpaced legislation. “Companies are reluctant to see legislation introduced and will resist an overregulated market in this space, but there will come a point when regulation will become far better defined and enforced, probably around the moment of a major incident and public outcry.”
Sitting on their hands
While an unintended flaw like this would be bad for any company, especially since the API architecture already contained ways in which to prevent this flaw, this case is made considerably worse by the flaw being known about for 18 months. Programmer Price first informed Moonpig of the flaw at the end of Aug 2013, after several emails Moonpig responded that they would “get right on it". After a follow-up email in September 2014, since the issues still hadn’t been resolved, Moonpig replied that they would be resolved "before Christmas". Since they again failed to follow through with their apparent commitment to resolve the issue, Price released the flaw publically on his blog, forcing the company to shut down the API and release a statement, stating that “We [Moonpig] are aware of claims re customer data and can confirm that all password and payment information is and has always been safe”. However, since the flaw existed for 18 months, and there is little way to check if a hack or abuse has occurred, closing the stable doors at this stage and claiming that the horses inside haven’t been copied, is not necessarily reassuring.
Brackstone comments: “The delay between Moonpig being notified of the data flaw in its app and actually taking action is of concern and the bad customer management has damaged its brand. Data is an asset that needs to be protected and the credibility of the company managing it is heavily dependent on its own governance and security measures to do this.” The Moorhouse advisor recommends companies to view data management and security as an increasingly key part of a firm’s operations, and not just an IT phenomenon. “When driving a digital transformation strategy and delivery, data management and security needs to be an integral investment. No company wants to be the next Moonpig of data security,” he concludes.