admits data breach

Customers of Jersey-based, a major online retailer, may have had their email addresses and names compromised in a security breach at a third-party provider

Customers of have been left open to spam fraud after one of the online retailer's suppliers suffered a data breach. wrote to users on Monday outlining the problem, which it said may have exposed email addresses, but not credit card details.

It seems there is cause for concern. We will be establishing from [] what has happened and how we can deal with it.

– Paul Vane, Office of the Data Protection Commissioner

"We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach," said the message. "Unfortunately this has meant that some customer names and email addresses may have been compromised."

The third-party company that suffered the leak is Silverpop, a spokeswoman for told ZDNet UK. The email database company saw a data compromise in December 2010 that affected McDonald's customers.

Silverpop told ZDNet UK on Tuesday that it had suffered a breach in the autumn of 2010, but did not believe that this was affecting customers.

"While we are reviewing all possibilities, it's difficult for us to directly connect the 2010 incident with specific spam messages sent this year," said Silverpop spokeswoman Stacy Kirk. is a major UK online seller of games, DVDs and other products. However, it is based in Jersey and is now being probed by the island's privacy authority, the Office of the Data Protection Commissioner (ODPC), over the breach.

"We've been made aware of [a possible breach] in the last half hour," deputy commissioner Paul Vane told ZDNet UK on Tuesday. "It seems there is cause for concern. We will be establishing from [] what has happened and how we can deal with it."

Vane said a UK-based customer had forwarded a forum post with concerns about a possible leak, plus the warning email from the company. As is ultimately responsible for its customer data, Vane said the ODPC would expect to see a robust data-processing contract between and the marketing agency that had the security breach.

"If a breach is identified, we can issue an enforcement notice or an undertaking... This is a strategy we use as a last resort," said Vane. "There is a possibility enforcement action could be used."

Spam emails

Security company Netcraft said a number of people identifying themselves as customers had complained of receiving spam emails on the website.

"Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment," Netcraft said in a blog post. "Some of these emails were sent to unique email addresses that have only been used at, suggesting that the spammer had access to private customer details." warned people not to be tricked by any spam emails they may receive as a result of the leak.

"At we will never ask you for information such as passwords, bank account details or credit card numbers," said the company. "If you receive anything suspicious in your email, please do not click on any links and forward the email on to for us to investigate."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.