Mobile payments provider CurrentC has issued a warning to customers that “unauthorised third parties” obtained tester email addresses.
The email addresses were “participants” in its pilot programme, or people who had requested information about CurrentC.
It said: “Within the last 36 hours, we learned that unauthorised third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these email addresses were involved and no other information [was affected].”
It warned those potentially affected not to open links or attachments from unknown third parties.
“MCX is continuing to investigate this situation and will provide updates as necessary,” he said. “We take the security of your information extremely seriously, apologise for any inconvenience and thank you for your support of CurrentC.”
A spokesperson for CurrentC told Business Insider that many of the email addresses were dummy accounts used for testing purposes only, and the CurrentC app itself was not affected. “We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved,” they said. “We take the security of our users’ information extremely seriously.”
MCX (merchant customer exchange) is the name of a collection of retailers including CVS, 7-Eleven, Best Buy, Sears, Shell Oil, Target and Walmart. Business Insider previously reported that members of MCX shut down support for Apple Pay after a few days of accepting it, most likely out of a contractual obligation to MCX to use only MCX’s mobile payment solution. CurrentC was the alternative, and has been in development since 2012.
TK Keanini, CTO of Lancope, said: “Payment systems like these take time to get right and mistakes will be made along the way. Attackers will innovate and succeed at some point, defenders will remediate and up their countermeasures and around and around the co-evolution we go.”