Play.com admits data breach

Play.com admits data breach

Summary: Customers of Jersey-based Play.com, a major online retailer, may have had their email addresses and names compromised in a security breach at a third-party provider

SHARE:
TOPICS: Security
4

Customers of Play.com have been left open to spam fraud after one of the online retailer's suppliers suffered a data breach.

Play.com wrote to users on Monday outlining the problem, which it said may have exposed email addresses, but not credit card details.

It seems there is cause for concern. We will be establishing from [Play.com] what has happened and how we can deal with it.

– Paul Vane, Office of the Data Protection Commissioner

"We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach," said the message. "Unfortunately this has meant that some customer names and email addresses may have been compromised."

The third-party company that suffered the leak is Silverpop, a spokeswoman for Play.com told ZDNet UK. The email database company saw a data compromise in December 2010 that affected McDonald's customers.

Silverpop told ZDNet UK on Tuesday that it had suffered a breach in the autumn of 2010, but did not believe that this was affecting Play.com customers.

"While we are reviewing all possibilities, it's difficult for us to directly connect the 2010 incident with specific spam messages sent this year," said Silverpop spokeswoman Stacy Kirk.

Play.com is a major UK online seller of games, DVDs and other products. However, it is based in Jersey and is now being probed by the island's privacy authority, the Office of the Data Protection Commissioner (ODPC), over the breach.

"We've been made aware of [a possible breach] in the last half hour," deputy commissioner Paul Vane told ZDNet UK on Tuesday. "It seems there is cause for concern. We will be establishing from [Play.com] what has happened and how we can deal with it."

Vane said a UK-based Play.com customer had forwarded a forum post with concerns about a possible leak, plus the warning email from the company. As Play.com is ultimately responsible for its customer data, Vane said the ODPC would expect to see a robust data-processing contract between Play.com and the marketing agency that had the security breach.

"If a breach is identified, we can issue an enforcement notice or an undertaking... This is a strategy we use as a last resort," said Vane. "There is a possibility enforcement action could be used."

Spam emails

Security company Netcraft said a number of people identifying themselves as Play.com customers had complained of receiving spam emails on the MoneySavingExpert.com website.

Read this

Commission refers UK to court over privacy laws

The European Commission has asked the ECJ to rule on whether the UK's privacy laws are adequate, in a case that began with complaints about BT's trials of Phorm advertising technology

Read more+

"Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment," Netcraft said in a blog post. "Some of these emails were sent to unique email addresses that have only been used at Play.com, suggesting that the spammer had access to private customer details."

Play.com warned people not to be tricked by any spam emails they may receive as a result of the leak.

"At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers," said the company. "If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate."


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Interesting. It seems that the spam messages were sent from another hacked mailer - Exacttarget, an American provider.

    http://www.gsn.com/forums/showthread.php?t=891&page=2&s=3159a37eedbf0e6b5ac8831f65b9545d
    security_obs
  • I received so many spam emails and just looked up the IP address and its also registered to
    Exact Target, another Email Provider. Is there any new info out there??
    Why wasn't I notified?
    Redbluered8
  • Hello Redbluered,

    There is some more info. Play.com sent out an email to customers this morning, still saying it believes that customer email addresses were compromised in the Silverpop breach:

    "Dear Customer,
    As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.
    We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.
    We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue .
    Best regards,
    John
    John Perkins
    CEO
    Play.com"

    Silverpop told ZDNet UK:

    "Silverpop was among several technology providers targeted as part of a broader cyber attack that occurred in the fall of 2010. At that time, we very quickly stopped the attack, notified all customers impacted by the activity and began working with the FBI, law enforcement and third party security experts to help identify those responsible and take any additional steps necessary to ensure this did not happen again. We are confident that the breach last year remains an isolated incident."

    and:

    "We cannot comment on specific customers nor are we privy to how any particular customer manages their data outside our system. While we are reviewing all possibilities, it's difficult for us to directly connect the 2010 incident with specific spam messages sent this year."
    Tom Espiner
  • Thanks so much for this information. It's so difficult to tell what emails are spam and what is not. Mobile Network security has become so important to business today.
    cupcake21