MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC
meant to rival newcomer Apple Pay, has been hacked. The data breach
involves the theft of email addresses, but the CurrentC mobile
application was not affected, the company confirms to TechCrunch.
Within the last 36 hours, MCX says it learned that unauthorized third
parties obtained the email addresses of some of its CurrentC pilot
program participants and other individuals who had expressed interest in
the app.
The group has now notified its merchant partners about the incident
and is communicating directly with those individuals whose email
addresses were involved, a company spokesperson tells us.
At this time, it appears that only the emails of these early mobile
app testers have been stolen, which is not as significant a data breach
as having payment data or other personal information taken, like home
addresses or phone numbers, has been the case with other large-scale
data breaches, like the one which took place over the last holiday
season at Target.
In addition, many of these email address were dummy accounts used for
testing purposes, which means there may not be that many end users
affected at this point, as the solution was still in its pilot phases.
However, MCX says it’s continuing to investigate the situation and will provide more updates as they arrive.
Below, is the email being shared with these users, in its entirety:
Thank you for your interest in CurrentC. You are receiving this
message because you are either a participant in our pilot program or
requested information about CurrentC. Within the last 36 hours, we
learned that unauthorized third parties obtained the e-mail addresses of
some of you. Based on investigations conducted by MCX security
personnel, only these e-mail addresses were involved and no other
information.
In an abundance of caution, we wanted to make you aware of this
incident and urge you not to open links or attachments from unknown
third parties. Also know that neither CurrentC nor Merchant Customer
Exchange (MCX) will ever send you emails asking for your financial
account, social security number or other personally identifiable
information. So if you are ever asked for this information in an email,
you can be confident it is not from us and you should not respond.
MCX is continuing to investigate this situation and will provide
updates as necessary. We take the security of your information extremely
seriously, apologize for any inconvenience and thank you for your
support of CurrentC.
It’s unclear at this time how exactly the addresses were stolen. As
dummy accounts were taken, too, that would seem to rule out a phishing
scheme. Phishing requires getting users to click malicious links or
taking some other action, and is usually kicked off by sending users a
legitimate-sounding email in order to trick them. It’s not likely that
the creators of the dummy accounts would have responded to phishing
attempts.
CurrentC’s maker MCX,
for those unfamiliar, is a group of over 50 retailers who have
been working to develop their own mobile wallet technology. Essentially,
they want to own the mobile wallet experience for themselves, instead
of turning it over to a company like Apple, whose Apple Pay mobile
payments solution prevents them from gaining access to customer data.
Instead, retailers involved with MCX want to use mobile payments as a
way to learn more about their customers’ shopping behavior, which could
mean they could better target offers to them in the future.
The system works via a mobile application, live now on the app
stores, called CurrrentC. It’s sort of a clunky tool when compared with
Apple Pay, as it involves the use of QR codes. But some retailers, like
Starbucks, have seen success with QR codes, and these special barcodes
aren’t tied to one platform, like Apple’s, so it makes sense that this
is the technology the retailers would adopt. (More information on CurrentC is here.)
CurrentC began making headlines recently, when retailers involved with the initiative shut off NFC in their stores.
NFC is the technology that makes Apple Pay and other NFC-based payment
solutions, including Google Wallet, work. Customers were trying to use
Apple Pay at stores like Rite Aid and CVS, where at first Apple
Pay-initiated payments were functioning properly, thanks to the
retailers NFC-enabled point-of-sale terminals.
But then those retailers disabled NFC at their registers, ending
their unofficial support for Apple Pay. The problem, apparently, stemmed
from the fact that retailers’ contracts with MCX states they’re not
supposed to accept rival mobile payment products. (Walgreens, an Apple
Pay partner, has taken advantage of this situation, telling customers via social media that #ChoiceIsEverything.)
With interesting timing, MCX this morning published a blog post
to clear up misconceptions about its technology and its aims as a
company. One section in the post discussed the security aspects
to CurrentC, saying “the technology choices we’ve made take consumers’
security into account at every aspect of their core functionality.”
After a number of high-profile data breaches in recent months, which have seen consumer data stolen from Target, Home Depot, Nieman Marcus, Staples,
P.F. Chang’s, Supervalu, and others, there’s a feeling among consumers
that retailers should not be trusted with our sensitive information,
including payment card data and other personal details any longer.
Perhaps the CurrentC hackers agree, and decided to make that point by way of this latest hack.