Multiple Reg readers were annoyed at receiving junk mail messages on Monday from addresses they had only registered with online retailer Play.com. Several of these junk mail sites pointed to black hat controlled domains that served up malware, heightening complaints on online forums (discussion on MoneySavingExpert here) and …
I'm one of those nerds
That uses a different address for each website - very useful for seeing who your spam comes from, but more useful for seeing the attitude of the company when you tell them "wasn't our fault, you must be mistaken", and the tech ability of the staff when you have to actually speak to them...
"Are you SURE your email address is sky@*****.co.uk".
Another Nerd(ette?) here, I use the same system, it doesn't cost much to buy your own domain, then you can use unique addresses for each website. I do this, and once its breached, change the address and you can force the old one to bounce, you also know which site has had its security breached (or sell your details Without your consent) and you can then make a choice whether to continue using that site since they don't seem to take security (or your privacy) seriously. Words (and excuses) mean nothing, actions speak louder, if they're selling your email addresses, what else are they doing, ie do you store your card details with them? Food for thought.
I didn't think I was a nerd for doing that, but...
...if the cap fits...
Another "me too" but it is dashed useful. And having a Demon account means I can do it without running my own domain. Actually I s'pose having a Demon account in 2011 is quite nerdy. Well I can live with that.
Can't be bothered with all that
I've used one Yahoo email address for everything for ages. I don't get any spam.
Yup - I have noticed the same from Amazon - must have been a marketplace purchase :-(
Spam 'from' GSN?
I received this lame apology from Play too. Really annoyed, because I'd kept my address 'clean' for years and now through no fault of my own it's going to get a ton of spam and I need to change passwords etc.
Interesting that you mention the GSN link because I got spam yesterday purporting to be *from* GSN (offering Acrobat X PDF Reader). I've never been to GSN.com in my life let alone signed up.
I haven't bought anything from Play in a couple of years now, but certainly won't be again after this!
I got one from GSN as well. I've never been there so emails from them are now blocked. At least now I know why. I have bought from Play, but never again. If you value your customers privacy and their details why outsource to another company? Well? Care to answer that one Play? Obviously profit comes before privacy. I shall be telling play to delete my acount forthwith. Yes, I use different addresses for different sites as well, so another nerd here and proud of it:-)
Paris. Well why not:-)
A 3rd party breach is still their responisbility.
And how do you suggest they police or mitigate that?
I got the GSN spam but I have never registered with the site - its not so clear cut...
Got the email from Play (regular customer, doesn't sound like it's their fault tho), and got the Acrobat X spam from GSN (never been there before, never heard of that site) as well...
it IS their fault
as they passed your details on, hence its down to them, their responsibility.
Apology email received
Email Security Message
We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.
We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.
Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.
Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to firstname.lastname@example.org for us to investigate.
Thank you for continuing to shop at Play.com and we look forward to serving you in the future.
Play.com Customer Service Team
No credit cards?
"At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. "
So how do you buy stuff without telling them the credit card number?
"....a fake Adobe update that actually contained a Trojan."
As opposed to a real Adobe update that actually contains yet another bloody browser toolbar then?
I prefer the fake ones, at least the sodding AV tools don't let the unwanted bits through....
Maybe it will do less damage to your computer too!
(Still hurting after spending 2 days recovering a PC after a "routine update" to Bridge.)
Also got the fake mail from GSN, and it's a site I've never been to, nor even heard of before.
No email from Play.com though as yet.
do we see the words "marketing" and "security breach" in the same sentence...
"Please do be vigilant with your email and personal information when using the internet"
Presumably as part of "being vigilant" with my personal information, I should avoid doing any business with a company that manages to hand it over to a third party who promptly gets it nicked.
While I'm sure that's just their standard boilerplate privacy crap, they probably should have thought about leaving out the instructions to be careful with our personal information when sending out an email telling us they've just lost our personal information.
We take privacy and security very seriously...
...and that's why we sent all your email addresses to some marketing scum who don't give 2-hoots about privacy, security, ethics....
I use throwaways for each registration but don't actually read anything coming from Play.com
Looking at my deleted emails in gmail from Play, I see no apology but my gmail decided the email from GSN was spam.
I assume Play.com hashing the stored passwords with something decent and don't share that with GSN? There's no need to share that field of a database.........
Not just limited to marketing lists?
Several copies of the spam seen here, one to an account that is specific to Play, and one used with Play but which isn't on their newsletter/marketing lists.
Either it's more widespread than just Play, or as I suspect it's not just limited to their marketing lists.
After 11 years, looks like it might be time to close my Play account.
No play.com apology for me...
And I only ordered something from them last Wednesday...
They also save the creditcardnumbers so it would be safer to assume thats also out on the street.
would you think a company that employs a PR company do to its marketing would furnish them with all the credit card details of all the subscribers?
Do you hand over your date of birth, address, phone number and national insurance details when you buy a pint of milk with cash?
The credit cards wont be given to the marketing agency. This would a breach of many things and their merchant accounts would be removed.
Play.com doesn't store actual card numbers but an merchant token that allows them to process transactions. Even this if stolen is useless.
No spam emails or messages from play and I've been registered for years.....with a play specific email address as well.
Yeah I got one of these last night claiming to be an Adobe Acrobat update. The thought of Play and Adobe working together over anything meant I was never going to follow the link even if I'd been tempted.
SMS spam now (coincidental?)
Oh, and just got a marketing text message from Optical Express (07537 400712)
Again, someone who I've never dealt with - wonder if it's connected to this.
Also got the spam
Also a play.com customer - I got the GSN spam but spotted it as such straight away.
Not had any apology from play.com though
They really want me to be assured don't they.
If they really want me to be assured don't partner with muppet companies that give out my details through incompetence!
I don't care if it was an external company, they were acting on behalf of Play so as far as I am concerned it is Play who are responsible. Plus, they don't need to tell me to be careful with my info, they need to tell themselves.
They also store the credit card numbers of customers so it would be safer to assume that those
are also on the street.
Paying someone else to take control is often unwise
If the security breach is restricted to a third party company, then we should expect many more clients of that company to be affected. It's possible that GSN is not directly related. If/when we start seeing a large number of companies affected, all using the same marketing company, then we can let Play.com off the hook a little, but only a little.
Retail companies have to remember that the buck stops with them, legally and morally, and also financially when customers vote with their feet. Outsourcing must never be out of sight and out of mind and a way to blame someone else.
I've found that even large companies like Sainsbury's can lose control to marketing companies, so that customers effectively lose the ability to opt out and have to rely on filtering.
I also give everyone their own address. What I've noticed is that it's usually the smaller retailers that go bad. But it isn't always my Avast address when bad a while back but I didn't get anywhere trying to explain it on their forums:
Admittedly I could perhaps have used a less contentious subject title but it was sad that no-one could see what I was getting at. Interestingly a quick look at my server logs show that I don't get spam for that address any more. Other addresses do still generate spam (including some that are many years older) so my theory now is that it was marketing material and they were able to pull the address.
Ah well, those of us who won't touch Acrobat with someone elses barge-pole would have just ignored yet another 'update now' message.
And those who do need to use thier own shedule for updates (sunday mornings is quite good while recovering from saturdays) or use something like Secunia.
I got the apology email from play
And I got the GSN Adobe Update email.
I won't be closing my account with play, but I think a strongly worded email demanding no more marketing and no passing of details onto third parties for marketing might be in order.
I don't recall what options there were for marketing when signing up with play (I signed up a long time ago), but I'm always careful to opt out of marketing when signing up to things in general.
Re: I got the apology email from play
"I don't recall what options there were for marketing when signing up with play (I signed up a long time ago), but I'm always careful to opt out of marketing when signing up to things in general."
I've noticed that whether or not the options are given, as often as not they subscribe you to their newsletters anyway: as someone pointed out a few comments back, unfortunately the smaller etailers seem to be worse for doing this sort of thing.
As for Play, I complained to them when I received the GSN email and received an apology of sorts for their apparent marketing gaffe, but nothing to say that the contents were a bit dodgy. Just as well I binned it in the spam folder anyway, I suppose...
I also got the Play apology, and GSN fake Adobe update spam - though interestingly the GSN email passed both SPF and DKIM tests, so it would appear may well be either involved or compromised.
So who leaked it then?
Why not tell us who this "3rd party company" is - then we can all be careful not to do business with them. And any other retailers who use them can kick them off their supplier list.
Similar problem with SVP
I had a similar problem with SVP (www.svp.co.uk - formerly BlankDiscShop). Tried reporting it, got a brush off (couldn't be us otherwise more customers would be complaining). Still getting some low volume spam addressed to the unique address assigned to them.
Sounds like me.
SVP lied and LIED and LIED about taking me off their lists.
Only after legal threats did they remove me... only for random spam to appear of that address a few months later.
Thanks for this post, I'll restart legal proceedings now I know it isn't just me.
So, another company I'll not deal with again.
Now that they've admitted to selling my email address to a bunch of incompetent marketing scum, I'll not be buying anything from them again and shall ensure that anyone who mentions them hears of this.
Shame, their prices were OK.
Saw the apology this morning
I've had a look through their T&Cs and can't find anything about marketing firms. I also can't find anything in my account settings to do with marketing (I'm pretty sure you have to provide an easy way to remove yourself from it if you don't untick the box when you join [something I always do anyway]), so isn't passing my details on to a marketing company kind of, well, illegal?
Compromise: accidental or otherwise?
No sign of any GSN or other junk mail yet but Mrs. Grouse did get the weakly apologetic and pathetically vague e-mail sent to her unique Play.com address.
I can't help but notice the timing of this 'accidental' information leak. We're in a global recession with profits down almost everywhere, at the end of a financial year in which the traditionally bumper Christmas consumer spending spree was a lot lower than many expected. There have been rumours for months that Play have had problems that might result in the closure of PlayUSA. And it's quite possible George Osborne will use the upcoming Budget to change the rules on VAT-free traders operating from the Channel Islands and from outside the EU.
Against this backdrop, a chunk of customer information of great monetary value to the bad guys is unexpectedly purloined from Play.com via an unnamed third party? I don't know about anyone else, but I detect something distinctly piscine wafting from the direction of Jersey and it's not the Beresford Fish Market.
I receive quite enough bloody mail from them as it is. Amazon too. Now they're giving my address out. Fun. Times.
Seriously companies. One email per week should be your limit, unless it's a serious sale going off.
It *is* Play.com's fault
So they say "We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com", which is a contradiction in itself. If they take security very seriously and ensure data is protected, then they wouldn't be giving it out to third parties in the first place.
Re: It *is* Play.com's fault
Hi folks - just to say please don't name possible third parties out loud on here. Email any thoughts on that to the author. Ta.
Play.com well known to the Jersey Information Commissioners Office
The Jersey ICO has received many complaints about Play.com but they never seem to do anything about them. The best thing to do is to submit a section 11 DPA98 request for Play.com to cease processing your personal data for direct marketing purposes.