On Tuesday, Play.com alerted customers that certain email addresses and names had been compromised after someone cracked the databases used by the retailer's marketing company. Later in the day, the company offered additional details, naming Silverpop as the source of the exposed information.
As one of the Web’s largest online sellers of CDs, DVDs, books, and apparel, Play.com has millions of customers worldwide. On Tuesday, it emailed its customer base to report the data breach.
“Unfortunately this has meant that some customer names and email addresses may have been compromised,” the mail outlined. “If you receive anything suspicious in your email, please do not click on any links and forward the email on to [email protected] for us to investigate.”
Following that, Play.com CEO John Perkins told customers via Facebook that the retailer believes the issue “may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded.”
As it turns out, that was a false hope. Play.com’s customers are reporting spam addressed to email accounts used only at the online retailer. Aside from email addresses and names, nothing of major financial value was lost in the compromise.
“…other personal information (i.e., credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained,” Perkins added in his message.
Last December, Silverpop suffered a data breach that impacted more than 100 customers. After the incident, McDonalds and deviantART warned customers that they were impacted as a result. Later, American Honda Motor Company, another Silverpop client, reported a breach of 4.9 million customer records.
“The media has recently been covering the security disclosures of several large brands. It is important to clarify that several of these large brands have never been Silverpop customers,” Silverpop CEO Bill Nussey said in a statement on December 15.
However, as we reported previously, press releases and, in some cases, reports from the breached customers themselves, link the businesses and the lost data to Silverpop directly.
In September of 2009, American Honda Motor Company presented Silverpop with its Premier Partnership Award for “excellence in supporting Honda's email marketing efforts.” [Link]
Likewise, in an email to The Tech Herald, McDonalds named Arc Worldwide as its marketing management company. According to Silverpop, Arc Worldwide is part of a strategic partnership. [Link]
In an email to users, deviantART named Silverpop directly, saying:
“Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. This was probably part of a sweep by spammers. As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed.”
Silverpop was unavailable for comment at the time of publication. If it addresses this recent disclosure, we’ll be sure to update the story.