Merchant Customer Exchange (MCX), the developer of the mobile payment system called CurrentC, is notifying some users that their email addresses have been stolen by hackers.
“Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information,” read the emails sent out by the company to affected individuals.
MCX says the breach affects participants in the CurrentC pilot program and those who have expressed interest in the product. The company has advised impacted users to be on the lookout for phishing emails, and avoid clicking on links or attachments contained in suspicious messages.
The company clarified in a blog post published on Wednesday that many of the compromised email addresses are actually dummy accounts used only for testing purposes. The CurrentC app itself is not impacted by the breach, MCX said.
“We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved. We take the security of our users’ information extremely seriously. MCX is continuing to investigate this situation and will provide updates as necessary,” the organization stated.
MCX is a company created by a consortium of major United States retailers to develop CurrentC, a merchant-owned mobile payment system. The company made headlines this week after two of its members, the Rite Aid and CVS pharmacies, decided to block payments made through Google Wallet and Apple’s recently introduced Apple Pay. The retail giant Walmart, one of the top members of the consortium, is also not accepting payments through Apple Pay.
CurrentC will be launched only next year and, until then, the customers of MCX retailers have no alternative to the classic plastic payment cards. MCX clarified in a blog post that “when merchants choose to work with MCX, they choose to do so exclusively.” The company also noted that those who choose to stop their collaboration with MCX will not have to pay any fines.
As far as data security is concerned, MCX explained that it does not store sensitive customer information in the app, but in a secure cloud-hosted network.
“Removing this sensitive information from the mobile device significantly lowers the risk of it being inappropriately disclosed in a case that the mobile device is hacked, stolen or otherwise compromised,” the company said.
As far as functionality is concerned, CurrentC has been called “clunky“, especially when compared to Apple Pay. Others don’t like the fact that the app requests social security numbers and driver’s license numbers for identity verification purposes when adding a new bank account.