As security breaches go, the attack on CurrentC was small potatoes. According to an email sent out by the payment card service, someone broke into their email system and stole a bunch of email addresses. CurrentC followed standard practices and notified anyone who might be affected that the breach had taken place.
CurrentC is the payment card service started by Merchant Customer Exchange (MCX), which is a group of major retailers that had started the mobile payment service, reportedly as a way to cut down on credit card processing fees while also gaining the ability to track consumer purchasing practices.
CurrentC has drawn a great deal of criticism recently because it includes contractual requirements that prevent member companies from accepting any other form of mobile payment.
These contract terms prompted merchants that initially accepted Apple Pay to suddenly reverse course and block that service as well as Google Wallet. To accomplish this, two major drugstore chains, CVS and Rite Aid, turned off their near-field communication (NFC) terminals and in the process prevent customers from using contactless credit cards to pay for their purchases.
The actions of the two drug chains to cut out NFC payments predictably enraged users of the other mobile payment systems and in the process kicked off a nascent boycott movement to protest the refusal to accept such mobile payments. To date, the boycott has demonstrated little in the way of support, but some have suggested that the hack of the CurrentC site may be a form of retaliation.
According to CurrentC, the information taken only included a subset of email addresses they had in their records. In a letter to those affected, CurrentC said, "You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the email addresses of some of you. Based on investigations conducted by MCX security personnel, only these email addresses were involved and no other personal information."
One significant result of the theft of the email addresses is that MCX, the company behind CurrentC, decided to open up about its practices in a press conference on Oct. 29. According to MCX CEO Dekker Davison, the theft of email addresses actually came from the company's email provider, not from MCX itself. Davison stressed that the CurrentC app and related cloud services were never breached.