LifeLock, the identity theft protection company, pulled the rug on one of its mobile apps and deleted all the user data within those systems. The abrupt move was in response to significant security concerns, as disclosed in a blog post by LifeLock CEO and Chairman Todd Davis. He writes,

“We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards.”

There has been no further information on what components of the PCI security standards were violated by the popular app, known as LifeLock Wallet.  Davis adds, “For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted in the app.”

The LifeLock Wallet app came about after the company purchased mobile wallet innovator Lemon for approximately $42.6 million in cash in December of 2013.  LifeLock Wallet contained digitized copies of credit cards, ID, insurance, and debit cards.  The app also tracked card purchases, categorized spending and updated credit card balances.

The collection of credit card and other personal information in one location is bound to PCI standards; this applies to mobile applications as much as any other software application.  Under PCI rules, any stored data must be encrypted at all times, and the keys utilized for this encryption must be protected.

It is not clear in Davis’s disclosure which of those pieces were violated, but the wiping of data is quite telling of the critical data issue:

“We have taken steps to delete all stored information for the mobile app from our servers,” Davis writes. “Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do.”

LifeLock is planning to relaunch the application after the issues are addressed.  The company is under intense scrutiny and has taken a number of public blows, currently taking a pounding on Wall Street after several ratings downgrades.  In 2010, the company settled for a $12 million fine with the Federal Trade Commission and 35 state attorney generals on charges that the company’s service didn’t work as advertised.  Davis has also famously put his social security number on the website as a show of confidence in the service.  That hasn’t worked out all that well for him, as according to various 2010 reports Davis may have had his identity stolen thirteen times, adding doubt to the company’s major sell point.

An app commissioned by a company that sells the protection of identity and credit information should be scrutinized for sound security practices.  Exactly how this weakness or flaw came to light is not clear.  It could have been third-party penetration testers hammering on the software, it could have been internal teams reviewing the application itself, or it could have been an alert from the community.

We do know that thus far there have been no reported exploits of the issue, and for that fact and for pulling this application from the market in response to the revelation, there is some positive elements to the story.

photo credit: kleuske via photopin cc, Google “LifeLock”