06 January 2015
A data security flaw in Moonpig’s app was ignored by the cards and gifts company for 18 months, it been alleged.
The flaw was brought to the company’s attention via its developer in August 2013. Fed up of the Moonpig’s avoidance of the issue, the developer blew the whistle on 6 January 2015.
In response to the public disclosure, Moonpig released a statement acknowledging the claims and set out to assure its customers that ‘all password and payment information is and has always been safe’, adding that its apps will be unavailable for an undisclosed period of time while investigations are carried out.
At this time, it is understood that no customer data was stolen however the vulnerability meant that it would have allowed an attacker access to customer details.
David Emm, Principal Security Analyst at Kaspersky Lab told Governance + Compliance that it is ‘important that companies take information about a vulnerability in their products very seriously. After discovering a bug, researchers typically try to contact the company first and give them time to fix the issue before going public with their findings.
‘If this vulnerability is confirmed, and it's true that Moonpig has previously failed to take any action to protect their customers for almost a year and a half, this is alarming - especially for a vendor on of an online shopping application used to transmit highly sensitive data.
‘Clearly there are two aspects to any online transaction. We all have a responsibility to secure ourselves by only using secure web sites, legitimate apps and using unique complex passwords to ensure that if one account is compromised it doesn’t put all our other online accounts in jeopardy. However, providers also have a responsibility to ensure secure communication between the customers and their own systems.’