Feeds

Feds probe '100 site' data breach

McDonald's Silverpopped

Protecting against web application threats using SSL

FBI agents looking into the theft of customer data belonging to McDonald's are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems .

“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI's Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”

He declined to provide further details.

Over the past week, at least two other sites – one known to have ties to Silverpop and the other that appears to – offered similar warnings to their customers. deviantART, a website that boasts more than 16 million registered accounts, warned its users that their email addresses, user names and birth dates were exposed to suspected spammers as a result of a breach at the email provider.

“Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers,” devantART's email stated. “We can assure you that nothing occurred on our systems with respect to this incident and no access was gained to private information on deviantART's servers. Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.”

And late last week, Walgreens, the largest US drugstore chain, warned that hackers stole a customer list and used it to send them phishing emails that sought additional personal information.

Walgreens didn't say how the list was stolen, but according to this press release, the drugstore chain uses Arc Worldwide as its "promotional marketing 'agency of record.'" The marketing services arm of Leo Burnett USA, Arc Worldwide was the same business partner that hired the unnamed email database provider that lost the McDonald's customer list. And as the press release here makes clear, Arc Worldwide counts Silverpop as a partner.

A receptionist answering main number for marketing company Arc Worldwide said she didn't have a public relations department to transfer reporters to. A spokeswoman for Silverpop declined to answer questions, but issued a statement that read in part:

When we recently detected suspicious activity in a small percentage of our customer accounts, we took aggressive measures to stop that activity and prevent future attempts. Among other things, we unilaterally changed all passwords to protect customer accounts and engaged the FBI's cybercrime division. It appears Silverpop was among several technology providers targeted as part of a broader cyber attack. We have notified all customers impacted by this activity. We are currently focused on working with our customers, especially the small percentage impacted by these events.

Beyond the cliche about chains being only as strong as their weakest links, the lesson here is that companies that expose their customers' secret data can't be trusted unless they come clean about what went wrong and what they've done to prevent it from happening again. So far, Silverpop hasn't done that, which is something readers should remember the next time they're asked to share their personal details with Salesforce.com, Ciena, Edgar Online; IBM's Coremetrics division or Adobe's Omniture business unit, to name just a few.

What you don't know could come back to bite you in the ass. Just ask McDonald's, deviantART and (probably) Walgreens. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.