Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Online retailer names email provider Silverpop as the potential source of customer email data security breach

Play.com logoOnline retailer names email provider Silverpop as the potential source of customer email data security breach

 

Yesterday, Retail Technology's website reported that Play.com, the UK-based online retailer of DVDs, CDs, MP3s, books and gadgets, had emailed its customers to warn them of a security breach in its marketing communications, where names and email addresses may have been compromised.

 

The company sent out email security messages to some of its customers, advising: “A company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.”

 

But in another series of emails sent out to customers late Tuesday, it explained: “On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.”

 

The retailer’s message also named a related incident as a possible source, identifying one of its communications providers. “We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop,” it said.

 

Possible spam exposure

 

Mark Harris, vice president of security at SophosLabs, welcomed that fact that Play.com issued a statement to let customers know about the security breach, he pointed out that it did not offer any information about what people should do if they notice any unusual activity on their Play.com account.

 

“Even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customer’s data,” said Harris. “Play.com customers should exercise additional caution when accessing their emails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com.”

 

Ross Brewer, vice president and managing director for international markets at LogRhythm, commented: “This incident is a stark reminder that an organisation’s security and reputation is often dependent on the behaviour of third parties. To prevent these embarrassing and costly breaches from occurring, businesses need to prescribe stricter security policies for their outsourcers.

 

Keeping an audit trail

 

"Few firms monitor the internal workings of their IT infrastructures, so have little idea how hackers roam around the network in search of valuable information. By stipulating that suppliers must deploy log management solutions, organisations can not only gain forensics into how an attack spreads, they can also receive alerts about any suspicious behaviour, enabling them to prevent a damaging breach from happening in the first place.”

 

News of this incident comes hot on the heels of new research from The Ponemon Institute estimating that the average data breach now costs UK firms £1.9 million. In separate research, conducted by OnePoll in November 2010, 66% of UK consumers said they would try to avoid future interactions with companies that had lost their personal data.

 

As far as Play.com is concerned, a number of news outlets reported back in November 2009 that Play.com suffered more technical difficulties involving other customers’ data when order confirmation emails were sent to the wrong customers.