"Many of these email addresses are dummy accounts used for testing purposes only," MCX said in a statement. "The CurrentC app itself was not affected."
"We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved," the company added. "We take the security of our users’ information extremely seriously. MCX is continuing to investigate this situation and will provide updates as necessary."
eWeek reports that MCX CEO Dekker Davison said in a press conference on October 29, 2014 that the email addresses were actually stolen from MCX's email provider, not from the company itself.
Davison also said MCX had been targeted by cyber attacks for several days after it was first announced that CVS and Rite Aid had disabled their NFC terminals in order to meet MCX's contractual requirement that they not accept any other form of mobile payment. It's not clear at this point whether or not the attacks were launched in response to that announcement.
"We're challenging the status quo," Davison said. "When you poke at a large ecosystem, you expect attacks."
In the press conference, however, Davison said merchants using CurrentC would in fact be allowed to accept competing payment solutions such as Apple Pay or Google Wallet.
"If you're launching a new payment system, you have to project a sense of security and gain confidence," Ablowitz said. "If I was in charge of MCX, I'd be worried about how it appears to the typical consumer."
And NSS Labs practice manager for architecture and infrastructure Chris Morales told eSecurity Planet by email that this is likely to be the first of many breaches in this space.
"As we come to terms with the massive level of hacks against the retail industry, the adoption of these new technologies will continue to attract the same cybercriminals who are going after credit cards," Morales said.
Forrester Research expects the market for mobile payments to reach $90 billion by 2017.
Photo courtesy of Shutterstock.