Play.com: Only customer emails lost in data breach Online retailer Play.com has named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses. The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday, a development that led to howls of protest from users. These emails …
If it's passed on for the explicit purpose that the original agreement was for (they can tell me about Play.com deals etc., and status updates on orders I make). If I ever found one about other products, then sure I get uppity (I got uppity; I key email addresses to vendors, so this was very much an anomaly).
My rule #1 on the net is "Everyone can be cracked". All you can do is decide where to put the risk to get what you want to do done..
...Silverpop are providing them with a service, managing their email marketing; the email addresses wouldn't (shouldn't) be used for anything other than Play's use.
'Sharing with a third party' in this context means selling or giving the data to other companies for their own use/profit. If Play gave your email address to a double glazing company, that'd be a breach of the data protection contract. If they hire a third party company to do customer data analysis or handle mailing, it's fair enough.
A good equivalent example would be snail mail. When you tick the 'don't share my mailing details' box on Play, you'd expect to only receive post from Play. However, they give your address to the Royal Mail, to deliver the letter to yourself. Do you want to complain about that blatant breach of privacy? ;)
Of course, it's up to any company that retains customer details to make sure they're held securely, and blaming a third party for a data breach is no excuse. Choice of who looks after the data is just as important as your own defences.
I received one of the Play.com emails this morning, so assume my email address has been harvested.
OK, these things happen, but why oh why does Play.com then end their email with the following "advice", as if the customer is in any at fault...!
Customer Advice
Please do be vigilant with your email and personal information when using the internet.
I got the spam on sunday; but I have received no email from play.com warning me about this any time between december last year and today.
I am extremely concerned that my email address is being passed to third parties when I have explicitly stated in my account settings that I do not want to receive their newsletter.
This sounds like a contravention of data protection laws to me.
Read the email this morning and summed it up as "it's a third party, so not our fault, we're brilliant"
Third party or not, Play retain all responsibility and accountability, and to try and deflect it in the apology is a very poor course of action indeed. Thank God I use a disposable email account for all the companies I use.
Logged on to play, only to fine there is NO close account, so I have emailed them to formally requested to close my account and delete all my personal details. I would recommend we all do the same as there is nothing like losing accounts to force them to take more care with personal details - or just not tell us when they lose them next time.
Paris as she is always losing her personal stuff
At the bottom of plays email it mentions about reporting anything suspicious to privacy@play.com so they can investigate.
So I forwarded my 'Official' Adobe email to play and I think it would good if everyone did the same.
Its the first spam email I've recieved in that account after 5 years (used it loads of different things). Poor show play especially for diverting the blame away from themselves when its a company they themselves appointed...
Of course this was not a one off - their customer list is now in the hands of virus writers / spammers who will surely pass it on to others - so expect to receive more of these.
Very annoyed - just asked Play to 'remove' my account - will be interesting if they do!
Still no email from play.com despite getting spam, (same as frankster).
Considering also closing my account, but wonder if I can request proof that my details are fully gone from their systems. Not so sure trying to login once account has been "deleted" and not being able to still doesn't mean they hold info on me.
All the personal information you hand over to Play is treated to "one of the most stringent internal standards of e-commerce security in the industry" except for the bits they outsource to "cheap as humanly possible" partners, who may apply rather less rigorous standards in order to cut costs. Play also reserve the right not to fess up to any information haemorrhage unless users actually catch them out, in which case they'll move very quickly to blame someone else, who they will now refer to as "supplier" rather than the previously chummy "partner".
AC for obvious reasons.
Wasn't aware that they had been fingered in so many data losses. Might have to rethink using them...
@James 12
Even asking play.com to remove your details probably won't stop you getting spam - someone got the email list from silverpop, not from play. Now they have the list, they aren't going to be validating it against play.com's data...
"We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps."
As a long standing customer I did not recieve this email, so the guy is clearly talking BS. I won't be ordering anything from Play.com in the near future.
Play.com, like many companies, probably believe that they can negate statutory law with terms in their standard form civil contracts - their terms and conditions and their privacy policy. This just isn't true and any term that is incompatible with the DPA98 is likely to be deemed unfair by a court of law.
Also, if they've passed your details on to a third party against your wishes, check that you've not entered any of their competitions as you have to opt-out again at the very bottom of each competition form. I have raised this with Paul Vane from the Jersey ICO on a number of occasions but he said that there was nothing that he could do about it.
Your best bet is to submit a complaint to the Jersey ICO; the more complaints they receive about a company the more they're likely to take action.
I got the second letter from play.com today. I didn't get the first letter a day or so ago, and I didn't get notified at the time of the breach; but then, I didn't get the spam emails either.
So I assume that play.com have written to everybody who *might* have been compromised, because they and Silverpop-goes-your-confidentiality don't actually know whose addresses were lost and whose weren't.
But ooh lookee, lookee, what's this at the bottom of the latest email?
http://open.newsletters.play.com/open/log/4794517/Njk0MDUyNTc3MAS2/0/MTc0NjI0MTk5S0/1/0
Well, well, it's a 1x1 blank gif that you wouldn't see if you weren't using a text-only email reader.
Now, what exactly is a company that said in its first letter (quote) "We take privacy and security very seriously" up to, in employing covert webbugs in its customer correspondence?
Their claims that they "reacted immediately" and investigated things in December are completely bogus .. I got the "Adobe update" email on my Play.com-only address in the middle of December and informed Play at the time. Their response was basically "All our systems are perfectly secure, this could not have been our fault"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
