the industry

MoviePass Server Breach Is the Latest Example of How It Plays Fast and Loose With User Data

Photo: Michael Nagle/Bloomberg via Getty Images

MoviePass just keeps shooting itself in the foot. On Wednesday, the beleaguered movie-ticketing subscription service confirmed that a security breach may have exposed tens of thousands of customers’ records online, where they may have remained unencrypted since early May. That information is alleged to include MoviePass card numbers and personal credit data including names, addresses, and card expiry dates — in other words, the building blocks for fraudulent financial transactions — all thanks to a lapse in password protection on a critical subdomain server.

“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this system,” chief executive Mitch Lowe said in a statement. “MoviePass takes this incident seriously and is dedicated to protecting our subscribers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our subscribers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers snd the appropriate regulators or law enforcement.”

The announcement arrives as the latest self-inflicted calamity for the so-called Netflix of movies, which has remained in financial free fall for the better part of the past 17 months and has seen its goal of disrupting the theatrical-moviegoing business grow ever more remote. Dwindling from a user base of more than 3 million last year, MoviePass reportedly now boasts fewer than 225,000 subscribers.

Worse still, the company is furthering its already horrible reputation for jerking subscribers around by continuing to play fast and loose with customer data. News of the server breach comes just two weeks after another report that in July 2018, MoviePass resorted to changing users’ passwords without their knowledge to thwart ticket purchases by heavy users after the company temporarily ran out of funds. Citing former MoviePass employees, Business Insider reported that the 2018 insolvency compelled Lowe to make Mission: Impossible — Fallout unavailable on MoviePass and ordered that half of its subscribers be locked out of the system over the Tom Cruise thriller’s opening weekend.

Rising from obscurity to national prominence in 2017 by basically subsidizing subscribers’ moviegoing habits — a $9.95 monthly subscription allowed for one movie ticket a day, every day — MoviePass coasted by on consumer goodwill for a few months before staggering from disaster to disaster: technological glitches, surprise ticketing blackouts, massive amounts of user fraud. It eventually evolved into what NASDAQ characterized in a stock analysis as a “failed business that burns through cash at an alarming rate.”

MoviePass revised its original price plan in April 2018, limiting users to just four movies a month — and dropping that number to three films four months later. The decisions triggered mass subscriber outrage and defection. This January, when the majority stakeholder and parent company of MoviePass, the data-analytics firm Helios and Matheson, spun off a new subsidiary called MoviePass Entertainment Holdings, Wall Street and Hollywood finally came around to what naysayers like the AMC theater chain had been complaining about all along: that the business model of MoviePass was fundamentally “unsustainable.”

Earlier this year, the company was spending an estimated $73 million a month to stay in operation. Helios and Matheson reported a net loss of $329.3 million last year, according to its most recent financial filing. And adding insult to the company’s already considerable injuries, on July 4 MoviePass suspended its service for several weeks to address technical issues and complete a redesign of its mobile app, and it announced its intention to “use this time to recapitalize in order to facilitate a seamless transition and improved subscriber experience once the service continues.”

But as Helios and Matheson CEO Ted Farnsworth pointed out in an interview with Vulture earlier this year, unscrupulous subscribers who misused and defrauded MoviePass to the tune of tens of millions of dollars posed a much graver threat than cash burn. “They were giving out their passwords and codes, jumping from device to device,” he said. “Multiple people seeing movies off of one MoviePass card. Multiple cards, multiple addresses, multiple emails. We had people scalping tickets. So it was really trying to get a grip on the people that were really abusing the terms and conditions and ruining it for other people.”

To remedy some of those issues, MoviePass deployed big data with tactical precision: The company verifies that subscribers (as opposed to scalped-ticket purchasers, friends, or loved ones) are the ones whose butts are in theater seats by double-checking the physical location of users’ smartphones via the MoviePass app. “So now, we continue inside the movie theater when that movie’s kicking off to make sure you’re not two miles away having dinner and somebody else is in there with the ticket,” Farnsworth explained.

Furthermore, he contextualized his company’s awkward-stage contractions in terms of the trajectory of other disruptive start-ups. “When Airbnb and Uber were starting out, they had these system crashes. And no one cared because it wasn’t in the public eye,” he said. “We, unfortunately, were in the public eye nonstop. And people would just feed on it. But you know what? We’re still standing.”

MoviePass Continues to Play Fast and Loose With User Data