ICO looking into alleged data security breach at Moonpig

07 January 2015

Security

The UK data protection watchdog, the Information Commissioner's Office (ICO), has said it is "looking into" an alleged data security breach at personalised greetings card printer Moonpig.

The alleged breach was publicised by app developer Paul Price on his blog after he grew frustrated with the length of time Moonpig was taking to address the problem.

Price claimed that API requests made by the web-to-print firm's Android app contain "no authentification at all" and that hackers could "easily place orders on other customers' accounts, add/retrieve card information, view saved addresses, view orders and much more".

The exploit is made easier by the fact that API calls were not rate-limited, meaning a hacker could trawl through different customer ID combinations to build a database of Moonpig customer data, including email addresses and credit card details.

"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed."

Price posted a timeline of his contact with Moonpig that lists "initial contact made with vendor" in August 2013, when he was told "legacy code" was responsible for the weakness and that Moonpig would "get right on it".

A follow-up email from Price more than 12 months later, in September 2014, revealed that the exploit had still not been closed but that it would be "before Christmas". On discovering that the vulnerability still existed at the beginning of this year, Price went public on 5 January.

"Initially I was going to wait until they fixed their live endpoints but given the timeframes I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers," he said. "Seventeen months is more than enough time to fix an issue like this.

"It appears customer privacy is not an issue to Moonpig."

Moonpig was quick to deny the problem, although it has also disabled its iOS and Android apps "as a precaution" while it investigates the alleged vulnerability.

In a statement the company said: "We are aware of the claims made this morning regarding the security of customer data within our apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.

"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

The ICO, which has the power to fine companies up to £500,000 for serious breaches of the UK Data Protection Act, tweeted: "We are aware of the incident at Moonpig and are looking into the details."

Security Business Web to print

Have your say in the Printweek Poll

Latest comments

"Well done all involved... great to see the investment to increase the productivity in the same footprint- much more sustainable than popping another one up."