The Company Suspends Mobile Wallet App After Security Concerns
Identity theft protection company LifeLock pulled its LifeLock Wallet application from the App Store, Google Play and Amazon Apps after the company realized the product was not compliant with payment card industry security standards.
The company's stock took a dive last week after the announcement was made, and intially dropped 17% since the markets opened -- and has since rebounded to 1% profit at the start of the week.
LifeLock has to meet certain security requirements following a 2010 FTC ruling that the company both misled customers with fear-driven marketing and didn't do enough to secure identity information.
While there's no sign of a breach, the company says that it would rather play it safe and only restore the apps once people can trust them "without question."
"We have determined that certain aspects of the Lemon Wallet (now called the LifeLock Wallet mobile application), which we acquired as part of our acquisition of Lemon, Inc., are not fully compliant with applicable payment card industry (PCI) security standards.
As a result, we have temporarily suspended the Wallet mobile application, and are deleting the data (encrypted or otherwise) from our servers, until we can operate the Wallet mobile application in accordance with those standards. We have no indication that the data included in the Wallet mobile application servers was compromised.
The Wallet mobile application storage processes are separate and independent from LifeLock’s core identity theft protection services business, including the enrollment and related credit card storage processes used in our standard LifeLock® service and our LifeLock Ultimate™ service. As such, we do not expect the suspension of the Wallet mobile application to impact in any manner the core functionality or utility of the identity theft protection services we provide to our members.
Our consent order with the Federal Trade Commission (FTC) sets forth certain requirements for the security practices of LifeLock and all of its subsidiaries and for our representations to consumers about those practices. On May 15, 2014, on our own initiative, we informed the FTC Staff of these issues, and we expect to receive further requests for information from the FTC about these issues.
It is possible that this PCI non-compliance of the Wallet mobile application could result in a determination by the FTC that we are not in full compliance with our FTC consent order."
Davis added the company had no evidence that user information had been compromised but felt deleting all current user data was "the right thing to do."