Customers of Play.com have been left open to spam fraud after one of the online retailer's suppliers suffered a data breach.
Play.com wrote to users on Monday outlining the problem, which it said may have exposed email addresses, but not credit card details.
It seems there is cause for concern. We will be establishing from [Play.com] what has happened and how we can deal with it.– Paul Vane, Office of the Data Protection Commissioner
"We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach," said the message. "Unfortunately this has meant that some customer names and email addresses may have been compromised."
The third-party company that suffered the leak is Silverpop, a spokeswoman for Play.com told ZDNet UK. The email database company saw a data compromise in December 2010 that affected McDonald's customers.
Silverpop told ZDNet UK on Tuesday that it had suffered a breach in the autumn of 2010, but did not believe that this was affecting Play.com customers.
"While we are reviewing all possibilities, it's difficult for us to directly connect the 2010 incident with specific spam messages sent this year," said Silverpop spokeswoman Stacy Kirk.
Play.com is a major UK online seller of games, DVDs and other products. However, it is based in Jersey and is now being probed by the island's privacy authority, the Office of the Data Protection Commissioner (ODPC), over the breach.
"We've been made aware of [a possible breach] in the last half hour," deputy commissioner Paul Vane told ZDNet UK on Tuesday. "It seems there is cause for concern. We will be establishing from [Play.com] what has happened and how we can deal with it."
Vane said a UK-based Play.com customer had forwarded a forum post with concerns about a possible leak, plus the warning email from the company. As Play.com is ultimately responsible for its customer data, Vane said the ODPC would expect to see a robust data-processing contract between Play.com and the marketing agency that had the security breach.
"If a breach is identified, we can issue an enforcement notice or an undertaking... This is a strategy we use as a last resort," said Vane. "There is a possibility enforcement action could be used."
Security company Netcraft said a number of people identifying themselves as Play.com customers had complained of receiving spam emails on the MoneySavingExpert.com website.
"Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment," Netcraft said in a blog post. "Some of these emails were sent to unique email addresses that have only been used at Play.com, suggesting that the spammer had access to private customer details."
Play.com warned people not to be tricked by any spam emails they may receive as a result of the leak.
"At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers," said the company. "If you receive anything suspicious in your email, please do not click on any links and forward the email on to email@example.com for us to investigate."
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.