We take security seriously at Perkville and plan to publish issues that we find and resolve, even if they are minor and there is no evidence a breach occurred, to ensure that we stay in compliance with legal requirements as well as to establish trust with our customers.

We found and resolved a security issue in our connection balance API on January 15, 2021. We discovered that an approved API developer would have been able to access the following data for customers of a business if a staff member of the business authorized sharing these details for their own account:

Perkville user ID (e.g. a number such as 29482 identifying the user in Perkville)
Point balance at the business
Total points earned and redeemed at the business
The title and date of the customer’s last transaction at the business

Names, email addresses, birthdays, etc. were not exposed through this method. We have no evidence that unauthorized access to this data actually occurred.

We want to reiterate that this data was not exposed to the public. The data points listed above could only have been accessed by an API client that was approved by Perkville and only if a staff member approved the sharing of these details for their own account.

‍