Personalised greetings card service Moonpig was all over the popular news yesterday.
Paul Price found an exploitable weakness in Moonpig's public API and contacted them in August 2013, and again a year later. Eventually he gave up and published details on Monday.
Following much Twitter activity, yesterday Moonpig tweeted:
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
Interesting spin, since the vulnerability relates to other personal data — passwords or payment card holder data. Shortly afterwards, Moonpig tweeted:
As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations: http://www.moonpig.com/uk/Information/Press/
Moonpig also added the following message to their customer support page:
A MESSAGE TO OUR CUSTOMERS: You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.
Although Moonpig has not responded to the core issue (personal information), the published details appear to indicate:
- Breach of principle 7 of the Data Protection Act
- Breach of the Payment Card Industry Data Security Standard (PCI DSS)
- A disregard for customers' data when the company has been aware of the problem for so long, and it continued to collect and process personal data through the period.
PCI DSS is only relevant here if the system components for api.moonpig.com are within the PCI environment. There is no need for a cardholder data breach for there to be a breach of compliance with PCI DSS. The main www.moonpig.com systems are definitely within scope since payment cardholder data is collected on forms generated by the website and the data is sent back to the same Moonpig website.
Nevertheless, by passing through the shopping basket and check out, other application security and privacy concerns are evident such as system information leakage, sending personal data over unencrypted channels, and third-party code on checkout pages.
The API issue and the other public issues on the web site do not seem to even meet the baseline security controls published for years by OWASP.
The help page about Payment and Personal Details Security states:
Security is an important priority for us and we are committed to protecting your privacy.
We are registered as required under the Data Protection Act 1998 (Reg. Z4843659) and we use the most up-to-date technology available to protect your personal details. To avoid the risk of computer fraud, your credit card number is not stored in our system at any point in the payment process. Please see our privacy and security policy here.
That is clearly not true and might therefore be a breach of the Advertising Standards Authority Online Remit. The above also hints that somehow payment cardholder data is safe because it "is not stored". That's good, but it is not the same as saying it is not processed by Moonpig systems at all, which is likely to be misleading to some consumers. The terms and conditions say very little about protecting personal data - except from "in transit", and as we know that is not true for all parts of the web site that collect or display personal data.
If that is not enough for Moonpig, if the API vulnerability also affects United States customers, we will see the US Federal Trade Commission get involved. That body has been very strict in recent enforcement actions for online privacy failings. Affected US readers can submit complaints to the FTC online.