Play.com admits to security breach, with customer email addresses leaked and spam messages sent

Play.com has admitted a leak of customer names and email addresses due to a security breach at a third party provider.

In a statement, Play.com said that some customers reported receiving a spam email to addresses that they only use for the website.

It said: “We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. We believe this issue may be related to some irregular activity that was identified in December 2010 at our email [marketing] service provider Silverpop.

“Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email [marketing] service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.”

It moved to reassure customers that all of their other personal information, including credit cards, addresses and passwords were secure, saying that Play.com has one of the most stringent internal standards of e-commerce security in the industry that is audited and tested several times a year to ensure this high level of security is maintained.

Mark Harris, global director of SophosLabs, said that while Play.com's statement was a good thing, it does not offer any information about what people should do if they notice any unusual activity on their Play.com account. He said: “The full extent as to what information has been leaked is not clear, but any security breach involving the loss of customer information is extremely serious."

Ash Patel, country manager UK and Ireland at Stonesoft, said: “Play.com is reassuring its customers that hackers didn't steal important financial data and that they only managed to get away with names and emails addresses, but it does not make this any better.

“This is why it is imperative that organisations which hold customer information take IT security seriously. Hackers are often after low hanging fruit, and companies that employ low-level security are an easy and often extremely valuable target. Play.com customers will have to be extra vigilant during this time and they should refrain from opening email attachments that could potentially contain malicious material. This also highlights the importance of giving careful consideration to the levels of network security applied by business partners, especially when sharing detailed customer information.”

Garry Sidaway, director of security strategy at Integralis, said: “This is just another example of compromise to obtain personal information that can then be used elsewhere. We often take great care with our personal financial information and dealing with banks online, but personal information can and is obtained often through sites or sources that you wouldn't necessarily think would be a target.

“This information is then used for more traditional fraudulent activities and is often verified through a phone call or a small donation to charities. Information is valuable no matter where it is stored, and as highlighted in the advisory, clicking on links in emails or responding to requests for password changes is a no no."

Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “While Play.com reports that only customer names and emails are at risk and that no credit card or other confidential information was compromised, this incident is a stark reminder that an organisation's security and reputation is often dependent on the behaviour of third parties.  To prevent these embarrassing and costly breaches from occurring, businesses need to prescribe stricter security policies for their outsourcers.”

Hugo Harber, director of products and market solutions at Star, agreed, claiming that this breach again proves that you really need to ensure that your partners will guarantee the security of your data at all times.  “As security is such a major concern for all online consumers, businesses must continuously maintain high levels of security. Many mid-size businesses face a huge security challenge that even large enterprises would be hard pressed to match. Just one security breach could destroy your credibility,” he said.

Sign up to our newsletters