Cybersecurity firms have slammed greetings card firm Moonpig for its "slow" response to a flaw in its app API, which may have exposed customer data and card information.
Both CipherCloud and Malwarebytes criticised the firm’s failure to address a private disclosure 17 months ago from developer Paul Price that alleged hackers could access account details by changing the ID number in an API request.
Bob West, chief trust officer at CipherCloud, said: "The response to this breach has been particularly slow."
"For a company to be aware of a basic security issue for more than 17 months is gross negligence. Because companies that process payments are custodians of customer data, they have a legal and, I would argue, ethical obligation to protect that information."
Following news reports of the problem, Moonpig made its mobile apps unavailable while it investigated, releasing a statement claiming that "all password and payment information is and has always been safe".
Chris Boyd, malware intelligence analyst at Malwarebytes, said the company should have notified their customers through email of the problem and advised them on steps they could take to mitigate the risk.
"APIs have been an area of concern in the cybersecurity community for years," said Trey Ford, global security strategist at Rapid7.
"An internet exposed API is serving requests from the public internet – they are often poorly documented, insufficiently logged, and routinely overlooked in security testing.
"This is further complicated by different developers using and expanding the API in unexpected ways. Moonpig and [its parent] Photobox, like many other organisations should be, is taking a hard look at the security of their APIs."
The Information Commissioner’s Office, which regulates the holding of private data in the UK, said it was looking into the case, but had yet to make further comment.
