12 January 2015
The Information Commissioner’s Office (ICO) announced that it is looking into the Moonpig incident on Twitter.
Early in January 2015, news broke that cards manufacturer and retailer Moonpig had ignored a data vulnerability in one of its apps, which had been pointed out by one of its developers, for 18 months. Owing to Moonpig’s lack of action on this matter, the developer blew the whistle.
Governance + Compliance spoke to industry professionals to find out what they thought about Moonpig’s ignorance of a data vulnerability for 18 months. Considering how big the risk of cyber attacks has become, this demonstration of poor governance is particularly shocking.
Ross Brewer, vice president and managing director for international markets at LogRhythm said: ‘We’re used to hearing about security breaches and flaws on a very frequent basis these days, so the fact that another organisation has fallen foul doesn’t come as too much of a surprise. We have, after all, reached a stage when it’s a case of when, not if, a security incident occurs for most businesses today. What is unbelievable is the fact that Moonpig was made aware of the fact there was an issue almost two years ago and, as far as can be seen, did nothing about it.
‘For any organisation, and particularly for retail businesses, customers are really the only thing that keeps them going. Showing such flagrant disregard for the safety of their data is unforgivable, and you can be sure many members of the public will see it in the same way. In fact, a recent survey conducted by LogRhythm found that 56 percent of people said they either don’t do business with an organisation that has suffered a breach, or at least limit the amount of information they share with them – which indicates Moonpig could face a quick decline in customers following this news.
‘The financial repercussions of any breach can be severe, thanks to lost customers, income and fines that may be levied, and the longer flaws are left open, the worse that loss is likely to be. With the security landscape as it is today, there really is no excuse for organisations not to have the tools in place to identify risks and fix problems as soon as they are identified. Understanding normal network activity is crucial to ensuring its security, and can severely reduce the time it takes to detect threats. No flaw should take 18 months to rectify, particularly when it’s already been identified, and leaving it for so long is asking for trouble – from multiple angles.’
'Showing such flagrant disregard for the safety of their data is unforgivable'
Mark Edge, UK country manager of Brainloop said: ‘Businesses like Moonpig that handle sensitive customer data have a non-negotiable responsibility to comply with the highest security standards possible. Failure to do so will only result in damage to their reputation and customers taking their business elsewhere.
‘The Moonpig security flaw is a classic example of why a password (and password policy) alone is not a sufficient defence mechanism for securing confidential data and should not be relied upon to keep the data protected. We hear about passwords being stolen, hacked or accidentally disclosed almost everyday, yet many businesses are still not recognising it as a problem.
‘The key is to secure the data itself at the source. This can be done through encryption and digital rights management. In today’s highly connected world, two-factor authentication is both commonplace and an essential extra layer when it comes to remote access and protecting confidential information.’
Richard Brackstone, Director at Moorhouse, commented: ‘The delay between Moonpig being notified of the data flaw in its app and actually taking action is of concern and the bad customer management has damaged its brand. Data is an asset that needs to be protected and the credibility of the company managing it is heavily dependent on its own governance and security measures to do this.
‘Digital companies have grown rapidly over the last two to three years and a vast amount of data is being submitted to and transferred by them for marketing and sales purposes. Data is both the property of the company you give it to and a B2B currency; often to access services, terms and conditions must be accepted, and these usually include giving up a number of rights on privacy of information.
‘Growth in this space has far outpaced legislation. Companies are reluctant to see legislation introduced and will resist an overregulated market in this space, but there will come a point when regulation will become far better defined and enforced, probably around the moment of a major incident and public outcry.
‘Business transformation is becoming ever more digitally orientated as it deals with fast paced change and huge amounts of customer and business data. Data management and security is increasingly becoming a strategic imperative with companies investing in differentiating themselves in the marketplace and attracting more customers, which translates to data and potential revenue if used wisely. When driving a digital transformation strategy and delivery, data management and security needs to be an integral investment. No company wants to be the next Moonpig of data security.’
Jes Breslaw, director of marketing and strategy at Delphix UK said, ‘with today’s mobile consumers increasingly demanding a wide variety of services via apps, pressure is mounting to continuously deliver updates to app portfolios. Like most companies, Moonpig's bug queue and feature request list is likely to be very long.
‘When it comes to maintaining compliance and evading bugs, the constraints are often not the people or technology but the underlying data that organisations are developing, testing and reporting against. High storage costs, manual business processes or simply inflexible legacy systems mean that production copy data is either incomplete or old. As a result, it's not untypical for companies to use data that's a month old in the development process, or use smaller subsets of data rather than the full data set.
‘Developer whistleblowing is unlikely to disappear so companies that are geared towards releasing products and services as apps need to re-think their data management approach. For application development and testing, organisations need to ensure that they have fast, flexible access to copies of near-live data. This not only empowers the business to improve the quality, frequency and user experience of app updates but also helps organisations mitigate data flaws far quicker.’
Tony Dyhouse, the director of the Trustworthy Software Initiative (TSI), a government-backed Public Good Activity said: ‘The vulnerability in Moonpig’s systems has shown that UK businesses continue to underestimate the impact that untrustworthy software can have on their customers as well as their revenue and reputation. Such vulnerabilities are sadly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.
‘To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up. Over the coming years this will involve a shift in emphasis away from simply papering over the cracks and towards addressing the vulnerabilities themselves.
‘However, while we still have untrustworthy software at large it is essential to operate an effective and robust software management system to ensure that businesses and their customers are protected. Patching does indeed require effort and resource, but a speedy response can help businesses save money and avoid considerable damage to their brand and reputation.’
TK Keanini, CTO at Lancope said: ‘A lot so far has been said about this event and everyone should notice that nothing said so far has been new at all. It is the same story over and over again and, given the circumstances, it will continue well beyond my years on the planet.
‘Readers need to understand for themselves that we are talking about process and not a thing or a point in time. Securing systems happen in a loop or spiral pattern whereby flaws and insecurities are discovered and fixed but given changes with new features and functionality, flaws and insecurities are put back in to be discovered and fixed at a later time. The threat landscape also plays an essential part in this co-evolution as they continue to find new discoveries in both old and new code bases.’
'We sometimes are quick to reach for government or some regulatory agency to provide governance and while this works in some sectors, in others it does not. Everyone needs to do their part in securing systems as we are all so connected at this point, attackers can find some access vector in this hyper connected graph to get to your data someway somehow.’