MoviePass, a movie ticket subscription service, has apparently exposed tens of thousands of their customers sensitive personal data by leaving a critical server unprotected. The growing database had more than 58,000 saved records which included personal credit card numbers, expiry dates, billing information, full names and postal addresses.
The discovered database also contained email addresses and some password data related to failed login attempts and is said to have been found by Mossab Hussien, a security researcher at cybersecurity firm, SpiderSilk, using his company-built web mapping tools. He explained that the unencrypted files could have been exposed for months, and he’d informed MoviePass of the flaw, receiving little to no response from them.
MoviePass is a US based organisation which sells monthly subscriptions to its customers, allowing them to purchase up to three movie tickets per month. Users can use a mobile app to check in to a cinema and choose a film and showtime, which results in the cost of the ticket being loaded to a prepaid debit card (powered by Mastercard), which is used to purchase the ticket from the cinema as usual.
Mossab Hussien said:
“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data. In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone.”
It’s essential that businesses are thoroughly assessing the security of their stored data, especially if it contains sensitive information relating to their customers. This incident follows a string of negative news for MoviePass after their substantial loss of subscribers, leading them to take their app offline for “updates” in July, but becoming inaccessible ever since. MoviePass aren’t alone when it comes to improperly handling customer data, with other big-name brands also experiencing large data breaches over the past year.
Chief Executive Officer of MoviePass, Mitch Lowe, said:
“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”
Not all businesses have to suffer the damaging consequences of a data breach, with options available to reduce the probability of it happening. Best practice suggests regularly auditing the risk and taking any highly sensitive data within the organisation “out of scope”, away from the corporate network and environment. For customer cardholder data (CHD), this can be done using a third-party secure payment solutions provider, such as Key IVR, who offer an industry leading PCI-DSS Level 1 secure web payments platform that ensures valuable card details are processed safely and securely.