Online greetings card store Moonpig exposed customer data to hackers for at least 15 months, despite warnings from an expert that there was a hole that needed to be plugged.
There are multiple lessons here. The first: corporate arrogance is dangerous. Second: it’s important for customers to educate themselves, and make sure companies are working to keep them secure. And the third: a “known name” isn’t necessarily a safe one.
Moonpig is an online greetings card store that sells custom-designed cards and mugs through their website. Hugely popular (thanks to regular TV advertising), Moonpig shipped 6 million cards in in the UK in 2007. While a British site (based in London and the Channel Island of Guernsey), this is a situation that affects shoppers and online store owners around the world.
The Moonpig Hack: What Happened?
Back in 2013, developer Paul Price discovered that mobile API requests on the Moonpig.com website could be hacked, thereby enabling criminal hackers to place orders on any account. Additionally, Data such as customer names, date of birth, address, credit card expiries and the last four digits of the card could be viewed.
Websites that offer online shopping usually provide rate limiters that reduce the impact of automated scripts, but Moonpig omitted to do this, making it an easy, open target for hackers.
Initially informed by Price of the vulnerability in mid-2013, Moonpig claimed that they would fix it right away; 18 months later, the vulnerability remained.
Said Price when he published details of the vulnerability online:
“I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architect this system needs to be waterboarded. Every API request is like this: there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more.”
Essentially, basic authentication was being used and account data revealed without authentication checks.
Price decided to go public with the hack after Moonpig responded to his follow-up contact in September 2014 to have the fix in place by Christmas. When he revealed all on January 5th, it had yet to be plugged.
Moonpig’s Reaction To The Hack
The lesson of this story isn’t so much about the hack – they’re happening more and more in the online shopping industry – but about the attitude of the company, and what this means to consumers.
If we consider the volume of hacks over the past couple of years, such as still-unexplained eBay leak and Target losing 40 million credit cards then we can see that there seems to be at best an ignorance, at worst utter complacency, towards online security.
Take, for example, the Moonpig response to the news:
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
— Moonpig (@MoonpigUK) January 6, 2015
This attempt at damage limitation was immediately called out:
.@MoonpigUK Really? That's your strategy for dealing with being called out on your negligence? Lie about it?
— Chris Ward (@christopherward) January 6, 2015
— James Seymour-Lock (@JamesSLock) January 6, 2015
Public Relations disaster aside, Moonpig’s inability to deal with the issue in a timely manner highlights the importance of regular running penetration tests on Internet facing websites, as well as responding to security advisories promptly.
How Customers Can Benefit From Security Vulnerabilities
It isn’t clear if any data was stolen from Moonpig via this vulnerability, and based on their damage limitation efforts so far they probably wouldn’t share the information even if they had it.
The endless issues with online shopping security over the past 24 months or so have begun to undermine confidence in the industry. While eBay is giving little away at this stage, for instance (and never confirmed how their data was hacked) it’s remarkable drive towards free listings and other bonuses during the middle of 2014 suggests a lot of users stayed away.
Short of launching civil actions against these companies, the only real steps customers can take against the flagrant misuse and insecurity of their data (and if you’re a Moonpig.com customer it’s worth checking for any promises of data security in your original terms and conditions) is to vote with their wallets.
With the explosion in courier services and drone deliveries, vast warehouses around the country and vast deliveries, Amazon is proving how to fulfil customer orders and keep their data safe (so far). Other companies should be using Amazon as an example, rather than a rough template to attempt to mimic. Failure to do this can only result in the end of online shopping – or the total dominance of Amazon.
Only by taking steps to shop elsewhere can we benefit from online stores taking their responsibilities seriously.
Don’t Quit Online Shopping Yet: Just Shop Smarter
Over the past couple of years we’ve seen far too many big names hacked. But these intrusions, and subsequent data leaks, don’t mean that you have to remain a customer. In fact, you should do the opposite and head for the more secure competitors, or shop locally, instead. If you’re caught out and shop at a site that is hacked, you might also consider these alternative options.
Of course, you might have a better solution. So use the comments to share it, and any related stories you may have.
Image Credit: Shopping online via Shutterstock