Play.com: Only customer emails lost in data breach
Mailshotter Silverpop blamed for malwarey kerfuffle
Online retailer Play.com has named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses.
The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday, a development that led to howls of protest from users.
These emails offered supposed software updates from Adobe but actually linked to sites serving up malware.
The offer of the latest version of Adobe Reader X out of the blue and via email is unlikely to have taken in many, since the ruse was neither timely, subtle nor salacious.
Play.com, which issued an apology to users via email on Tuesday morning, has since come forward with an official statement from chief exec John Perkins (below) that seeks to downplay the significance of the admitted breach. In particular the online retailer stresses that the snafu only affected email details, and not credit card details or other sensitive information.
On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com.
We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. We believe this issue may be related to some irregular activity that was identified in December 2010 at our email [marketing] service provider Silverpop.
Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email [marketing] service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.
We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained.
On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue.
Play.com is one of the UK's largest online retailers of DVDs, CDs, books and consumer electronics gadgets. ®
Same guys? http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/
Still doesn't answer questions
about why they give peoples details to a third party when you told them they can't do that at the time you signed up for an account.
All the personal information you hand over to Play is treated to "one of the most stringent internal standards of e-commerce security in the industry" except for the bits they outsource to "cheap as humanly possible" partners, who may apply rather less rigorous standards in order to cut costs. Play also reserve the right not to fess up to any information haemorrhage unless users actually catch them out, in which case they'll move very quickly to blame someone else, who they will now refer to as "supplier" rather than the previously chummy "partner".