UPDATED: Play.com hit by security breach

Online shopping security

Play.com has admitted to losing a number of names and email addresses thanks to a security breach at a third party company.

The online retailer emailed its users late last night to inform them of the breach, which hit the firm paid to deal with Play.com's marketing communications.

However, no details were released explaining how the losses occurred or how many of its customers it had affected.

The email warned customers the company never asked for passwords, bank details or credit card numbers over email so if they received anything that looked suspicious, they should forward it on to privacy@play.com.

"We take privacy and security very seriously and ensure all sensitive customer data is protected," the email from Play.com's customer service team read.

"Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved."

The Information Commissioner's Office (ICO), which is responsible for enforcing the Data Protection Act, could fine the company up to 500,000 if it considered the breach serious enough. But when IT PRO spoke to the organisation this morning, it said it had yet to be notified of the issue.

Rik Ferguson, director of security research and communication at Trend Micro, told IT PRO although it was only emails and names lost, it was still "personally identifiable information" so would "count" if the ICO chose to pursue the case.

When asked whether customers should be worried, Ferguson claimed they should just remain vigilant, even if they didn't receive the warning email.

"I know I didn't get an email but my colleague got one," he explained. "They may have expunged their database, or only notified those affected, but it is hard to know when they have revealed so little information about [the breach]."

"Customers should be concerned though as the association of a name and email address along with where you have shopped is still enough to launch a credible phishing attack, for example."

Ash Patel, country manager in the UK and Ireland for Stonesoft agreed, telling IT PRO: "Despite the fact that Play.com is reassuring its customers that hackers didn't steal important financial data and that they only managed to get away with names and emails addresses doesn't make this any better."

"The hackers could now use the addresses and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC."

Whilst the third party responsible for the breach is under no legal obligation to make more details known, Ferguson hoped it would reveal more to reassure customers.

"There is not any obligation to offer more information but... if it is an outsourced agency, one can assume they have more than one customer," he said.

"If they could explain how the breach happened, to what extent and what customers were affected, it would put minds at ease and show best practice."

IT PRO contacted Play.com this morning to ask for more details on the security breach, but it had not returned our request at the time of publication.

UPDATE: Play.com has just released a statement from chief executive (CEO) John Perkins giving more details on the data breach.

He said: "On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps."

Then things got complicated. Perkins said he believed the loss of details "may be related to some irregular activity" at its email service provider, Silverpop, back in December 2010.

However, he admitted investigations at the time showed "no evidence" any email address had been taken.

There was no more information on what type of breach had occurred but Perkins went on to say "all the necessary steps [were taken] to ensure a security breach of this nature does not happen again."

We contacted Play.com again to clarify why it thought the "irregular activity" was responsible if no evidence had been found and to clear up what said activity was, but it had not responded to our request at the time of publication.

IT PRO will continue to update you on this story as we get more information.

Jennifer Scott

Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.

Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.