Moorhouse: Moonpig security fiasco is a wakeup call

20 January 2015

Moonpig, a large supplier of personalised greeting cards, recently was faced with a serious cyber security flaw. More worrying is that the online company had more than 18 months to fix the flaw, without any subsequent action taken. According to consultancy firm Moorhouse, this kind of error can be disastrous not only for clients whose information ends up on the street, but also for companies whose reputations can be trashed – the moral of the story, take cyber security serious.

Ripe for the harvest
Moonpig, founded in 2000, is the largest online personalised greeting cards store in the UK, in 2007 they had a 90% market share and shipped nearly 6 million cards. In July 2011 they were bought by PhotoBox. Early in January 2015 a program developer, Paul Price, voiced his frustration on his blog about Moonpig’s repeated failure to close a major and simplistic security flaw in its customer application programming interface (API). Through the flaw up to 3.6 million customer records, including every account and the names, birth dates, and email and street addresses could be accessed by simply changing the customer identification number sent in an API request. There was also no script-limiter, so a hacker could theoretically write a script that quickly and systematically would check and harvest the personal information on every account number with a range. What’s worse is that financial data, the last four digits and expiry date of credit cards associated with accounts, was also available. A potential treasure trove of personal information for hackers and marketers alike.


Richard Brackstone, Director at Moorhouse, comments on the issue of data security related to the case: “Digital companies have grown rapidly over the last two to three years and a vast amount of data is being submitted to and transferred by them for marketing and sales purposes. Data is both the property of the company you give it to and a B2B currency; often to access services, terms and conditions must be accepted, and these usually include giving up a number of rights on privacy of information.” The issue, according to Brackstone, is that growth in data storage has far outpaced legislation. “Companies are reluctant to see legislation introduced and will resist an overregulated market in this space, but there will come a point when regulation will become far better defined and enforced, probably around the moment of a major incident and public outcry.”

Sitting on their hands
While an unintended flaw like this would be bad for any company, especially since the API architecture already contained ways in which to prevent this flaw, this case is made considerably worse by the flaw being known about for 18 months. Programmer Price first informed Moonpig of the flaw at the end of Aug  2013, after several emails Moonpig responded that they would “get right on it". After a follow-up email in September 2014, since the issues still hadn’t been resolved, Moonpig replied that they would be resolved "before Christmas". Since they again failed to follow through with their apparent commitment to resolve the issue, Price released the flaw publically on his blog, forcing the company to shut down the API and release a statement, stating that “We [Moonpig] are aware of claims re customer data and can confirm that all password and payment information is and has always been safe”. However, since the flaw existed for 18 months, and there is little way to check if a hack or abuse has occurred, closing the stable doors at this stage and claiming that the horses inside haven’t been copied, is not necessarily reassuring.

Moorhouse - Cybercrime

Brackstone comments: “The delay between Moonpig being notified of the data flaw in its app and actually taking action is of concern and the bad customer management has damaged its brand. Data is an asset that needs to be protected and the credibility of the company managing it is heavily dependent on its own governance and security measures to do this.” The Moorhouse advisor recommends companies to view data management and security as an increasingly key part of a firm’s operations, and not just an IT phenomenon. “When driving a digital transformation strategy and delivery, data management and security needs to be an integral investment. No company wants to be the next Moonpig of data security,” he concludes.


Grant Thornton advises on deal for high-growth cloud hosting firm

08 April 2019

Grant Thornton’s North West Corporate Finance team has completed its first TMT deal of 2019. The professional services firm advised the shareholders of Hosted Desktop UK on their investment from specialist SME lender Beechbrook Capital.

Technological disruption and changing consumer behaviour have continued to affect top Technology, Media & Telecommunications (TMT) players in recent years. The industry has seen revenues border on stagnation over the past decade, at 0.4% annual growth since 2008. While the industry is keen to develop new digital services and models to meet market challenges, they face a range of barriers – meaning the recruiting of talent specialising in innovative software and technology has become a key goal for the industry.

Amid this, Hosted Desktop UK (HDUK) provides cloud computing services to small and medium sized businesses across the UK. The firm’s cloud solutions provide businesses with IT reliability, flexibility, value for money and business continuity. As the firm bids to grow in the UK, with demand for its disruptive technologies high, HDUK has secured a key investment from specialist SME lender Beechbrook Capital.

Grant Thornton advises on deal for high-growth cloud hosting firm

The transaction was Beechbrook Capital’s maiden deal from its latest UK SME credit fund, which supports small and medium-sized businesses in the UK with EBITDA of £1 million and above. Manchester law firms Pannone Corporate (sell-side advice, led by Mark Winthorpe) and DWF LLP (buy-side advice, led by Jonathan Robinson) also advised on the deal, while Grant Thornton’s North West Corporate Finance team advised HDUK’s shareholders.

The deal represents the Grant Thornton branch’s first TMT deal of 2019, with a team comprised of Partner and Head of Corporate Finance Peter Terry, Manager Daniel Brecker and Assistant Manager Cariad Mudford advising HDUK shareholders on the investment. It is the third key deal in the TMT sector that the GT North team has advised on in the last 18 months, following the £16.5 million sale of Salford-based Sonassi to Iomart in December 2017 and NorthEdge Capital’s investment in Yorkshire company iPortalis in August 2018.

Grant Thornton’s Peter Terry said of the news, “As our domestic and working lives become ever-more technology dependent, it’s no surprise that there continues to be strong investor interest in any asset in the cloud computing, data infrastructure and connectivity space… We were pleased to work with Beechbrook Capital on the first deal in its new fund. It shows that despite the well-documented uncertainties in the economy there are still good funding options for dynamic SMEs and their management teams.”