Play.com security breach leaves customers open to spam
Third-party marketing firm is hacked and customer details stolen
Play.com has become the latest high-profile company to suffer from a breach of a security, with customer details and email addresses stolen in an attack on its third-party marketing company.
A red-faced Play had to send out a security message late last night, informing its customers that the breach had taken place and that their name and email address may have been stolen. It was quick to point out that the problem wasn’t at its end.
“We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved,” said the email. “Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.”
That’s all very nice, but the fact of the matter is that private data was entrusted to Play.com and it is its responsibility to safeguard it, regardless of whether it or a third-party was breached. Due to the security implications of the breach it could lead to the ICO, the body that looks after the data protection act, fining the company.
The original Play.com email contained very few details about how the breach occurred. Neither did the statement released be Play.com CEO, John Perkins, which was reported on our sister title IT Pro: “On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.”
Perkins also said that the breach probably came from “irregular activity” at its email service provider, Siverpop; however, further information on what this activity was has not been released.
What has come out of this episode is that the breach was originally detected by people using specific email addresses for Play.com, such as play@mydomain.com. As well as highlighting when a site has been breached, these people can simply switch off that email address and register a new one to stop any spam coming through.
The easiest way to get dedicated email addresses is to register a domain name with a hosting company and use its email forwarding facility to setup addresses for each service. If one is breached, you can simply take it down and create a replacement, hiding your real email address and safeguarding it against attacks.