The Merchant Customer Exchange (MCX), a consortium of 58 major U.S. retailers whose mobile payment network will take on the new Apple Pay early in 2015, today held a hastily-organized news conference to address questions about a hack that pilfered consumer email addresses.
MCX CEO Dekkers Davison argued that the group was targeted because it was "challenging the status quo" with its mobile payment service, dubbed CurrentC, which largely circumvents credit card companies' profitable transaction fees. "When you poke at a large ecosystem, you should expect attacks," said Davison. "None of this comes as a surprise."
The 30-minute conference call was in response to an admission earlier in the day by MCX that an unknown number of email addresses had been lifted by hackers.
"Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app," the group said early Wednesday in a statement that was also posted on its website.
Merchant participants in MCX, as well as those whose emails had been stolen, were notified, the organization said.
MCX, which is led by Walmart and includes 7-Eleven, Best Buy, Sears and others, is still in the testing stages for its CurrentC mobile payment system. The service and accompanying app are being piloted in several locales -- Davison declined to name where or which merchants were participating in the tests -- and consumers in other locations can register their email address with MCX for additional information as the tests expand and the system rolls out some time early next year.
MCX downplayed the threat to users in its statement and Davison reiterated that in the call with reporters. "Many of these email addresses are dummy accounts used for testing purposes only. The CurrentC app itself was not affected," said MCX spokeswoman Linda Walsh in an email Wednesday.
"There were also some dummy Zip codes," said Davison at one point. At another, however, he refused to answer a similar question. "I have no comment on what other information was stolen. It's premature to comment with investigations ongoing."
By Davison's account -- he repeatedly declined to answer questions about details of the attack, not uncommon when a company acknowledges a hack or breach -- it was not MCX's servers that were targeted, but those of its email provider. Davison would not name that provider.
But he was adamant that the term "breach" was inappropriate as a description of the hack. "This is not a breach. It was only email addresses," Davison said, perhaps defining "breach" narrowly. "We will learn from it. It will not slow us down."
Sign up for CIO Asia eNewsletters.