The postcard sharing app Touchnote recently began notifying its customers that their personal information may have been illegally accessed, though the company didn't say how the breach occurred.
The notification was impressively timely -- Touchnote began emailing those affected on November 5th, one day after it learned of the breach.
"On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data," the company said in a statement.
The data potentially exposed includes customers' names, email addresses, mailing addresses, order histories and the last four digits of credit card numbers, as well as card recipients' names and mailing addresses. In some cases, customers' birthdates were also accessed.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
While customer passwords were encrypted, the company is recommending that all those affected change their Touchnote passwords.
BBC News notes that the Touchnote app has been used to send approximately 4 million postcards since it was launched in 2008, and it's pre-installed on million of mobile devices.
"We take our responsibility to keep your data safe very seriously," Touchnote stated. "Since we found out about the theft, we have been working solidly to review all our security measures and update our system infrastructure. We are in contact with the National Cyber Crime Unit, which has the responsibility for investigating and finding the perpetrators of such incidents."
Mark Bower, global director of product management for HPE Security, told eSecurity Planet that there should be no difference between the process of securing customer data obtained by mobile apps and that of securing any other customer data. "There's simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion," he said. "The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure."
"Cyber criminals today are motivated to steal enterprise data, intellectual property and employee or customer information," Bower added. "Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash. There is a definite risk if credit card information is obtained. However businesses need to also think about protecting personal information about their customers like name, full address, phone number and email address. Criminals could then use this information to open bogus accounts or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks."
"Beyond the threat to sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line," Bower said. "A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyberattacks and other attempts to get this information."
A recent eSecurity Planet article offered advice on improving database security.