Identity theft security firm LifeLock has pulled its popular Wallet app from availability and taken the unusual step of deleting all data stored by current users after it deemed the app non-compliant with security standards.
“We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards,” says LifeLock CEO and Chairman Todd Davis in a blog post announcing the move.”For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted in the app.”
Davis said there was no evidence that user information had been compromised but that deleting all currently held data was “the right thing to do.”
However, deleting data without warning is sure to irritate some users. One TNW reader, who alerted us to the move, told us: “I’ve spent hours putting in data into this application… While some of it is a simple ‘duplication’ of cards in my physical wallet, there is much of it that consists of access codes, policy numbers, membership information – that I have no place else! My fault aside, they should have at least allowed me to back up the data!?”
LifeLock acquired the app previously known as Lemon Wallet in December last year. Available for iOS and Android, it can store users’ payment card information and other important data in what was supposed to be a secure ‘locker’.
In his blog post, Davis apologizes for the inconvenience caused by deleting user data and says that Wallet will return “with the highest level of PCI compliance” once the security flaw has been resolved.
Update: We’ve heard from a reader that switching your phone to airplane mode before opening the app can give you access your data without having it wiped by the server. Once you’ve backed up any important information, we recommend you let the app delete your data in order to protect yourself from the security flaw.
Update 2: It’s also worth noting that LifeLock was previously fined $12 million for “deceptive business practices and for failing to secure sensitive customer data,” as Wired reported in 2010. (Hat tip @anildash).