Moonpig API flaw left unfixed for 17 months

Earlier this week, online greetings card company Moonpig took its API offline as a flaw was enabling orders to be placed on customer accounts by hackers. The flaw, identified by researcher Paul Price, allowed hackers to bypass authentication security and place orders, as well as see and add payment information, view addresses and so on. While Moonpig has said that all password and payment information is safe, it has been claimed that the flaw was left unfixed for 17 months, despite the company being made aware of it.

We’re used to hearing about security breaches and flaws on a very frequent basis these days, so the fact that another organization has fallen foul doesn’t come as too much of a surprise. We have, after all, reached a stage when it’s a case of when, not if, a security incident occurs for most businesses today.

What is unbelievable is the fact that Moonpig was made aware of the fact there was an issue almost two years ago and, as far as can be seen, did nothing about it. For any organization, and particularly for retail businesses, customers are really the only thing that keeps them going. Showing such flagrant disregard for the safety of their data is unforgivable, and you can be sure many members of the public will see it in the same way.

In fact, a recent survey conducted by LogRhythm found that 56 percent of people said they either don’t do business with an organization that has suffered a breach, or at least limit the amount of information they share with them—which indicates Moonpig could face a quick decline in customers following this news.

The financial repercussions of any breach can be severe, thanks to lost customers, income and fines that may be levied, and the longer flaws are left open, the worse that loss is likely to be. With the security landscape as it is today, there really is no excuse for organizations not to have the tools in place to identify risks and fix problems as soon as they are identified.

Understanding normal network activity is crucial to ensuring its security, and can severely reduce the time, it takes to detect threats. No flaw should take 17 months to rectify, particularly when it’s already been identified, and leaving it for so long is asking for trouble—from multiple angles.