Personalised greeting card company Moonpig recently became the latest in a string of companies to hit the headlines because of a flaw in its cyber security. The flaw was found by developer Paul Price back in August 2013. He contacted Moonpig and was told that it would fix the problem. Almost 18 months later the problem had not been resolved and Paul Price went public in an attempt to shock Moonpig into action.
The security flaw lay within the authentication used to grant access to the application programming interface (API) used by the mobile phone app. Price decoded the ‘auth header’ which revealed that the information stored in each customer’s account (such as name, address, and the last four digits of the credit card on the account) was not protected by both the customer username and password, but solely by a 9 digit customer ID.
In plain English, once a hacker had set up an account he could simply change his customer ID and immediately access information held in another account. Given time, a hacker could systematically retrieve information from 3 million customer accounts.
Three hours after Paul Price published this security flaw on his blog, Moonpig deactivated its mobile app and tweeted: “We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.”
This neatly worded and somewhat disingenuous tweet sought to reassure customers that their passwords and full payment details were safe. But what about names, addresses, email addresses, telephone numbers, birthdays, the last four digits of credit cards and their expiry dates and the addresses of those friends and family to whom the customer has sent greeting cards?
A malicious hacker armed with an individual’s date of birth, address and the last 4 digits of a credit card has a greatly increased chance of gaining access to that individual’s other online accounts.
If what Paul Price says is correct, Moonpig is in a very sticky situation. In terms of reputation, customers may well forgive a security flaw which is dealt with quickly and efficiently. Moonpig’s failure to do anything for almost 18 months is quite another matter.
It will be interesting to see what action will be taken by the Information Commissioner’s Office (“ICO”). Moonpig’s security flaw and its failure to rectify the issue once notified would appear to contravene the Seventh Principle of the Data Protection Act 1988 (“DPA”).
Seventh Principle of the DPA
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The ICO has already tweeted: “We are aware of the incident at Moonpig and are looking into the details” and it has the power to fine companies up to £500,000 for serious breaches of the DPA.
But what level of responsibility does the Seventh Principle of the DPA impose on companies such as Moonpig? There is no clear answer to this; the DPA does not define what it means by “appropriate”. Instead, the DPA requires organisations to adopt a risk-based approach in deciding what level of security their particular type of organisation requires.
According to DPA guidance notes security will be “appropriate” if organisations have
- designed and organised it to fit the nature of personal data held by it,
- been clear about who within the organisation is responsible for ensuring information security,
- made sure that it has the correct physical and technical security backed up by robust procedures and well trained staff, and, crucially for Moonpig,
- be ready to respond to any breach of security swiftly and effectively.
The lesson for online companies is clear. To avoid reputational damage and a hefty fine from the ICO, organisations should review all aspects of their online security regularly, and if there is any doubt at all, they should obtain the help of an ethical hacker to test the strength of their security.