Was it just me?
Did anyone else read the companies name as 'Silverpoop'?
Online retailer Play.com has named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses. The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday, a development that led to howls of protest from users. These emails …
Did anyone else read the companies name as 'Silverpoop'?
about why they give peoples details to a third party when you told them they can't do that at the time you signed up for an account.
If it's passed on for the explicit purpose that the original agreement was for (they can tell me about Play.com deals etc., and status updates on orders I make). If I ever found one about other products, then sure I get uppity (I got uppity; I key email addresses to vendors, so this was very much an anomaly).
My rule #1 on the net is "Everyone can be cracked". All you can do is decide where to put the risk to get what you want to do done..
...Silverpop are providing them with a service, managing their email marketing; the email addresses wouldn't (shouldn't) be used for anything other than Play's use.
'Sharing with a third party' in this context means selling or giving the data to other companies for their own use/profit. If Play gave your email address to a double glazing company, that'd be a breach of the data protection contract. If they hire a third party company to do customer data analysis or handle mailing, it's fair enough.
A good equivalent example would be snail mail. When you tick the 'don't share my mailing details' box on Play, you'd expect to only receive post from Play. However, they give your address to the Royal Mail, to deliver the letter to yourself. Do you want to complain about that blatant breach of privacy? ;)
Of course, it's up to any company that retains customer details to make sure they're held securely, and blaming a third party for a data breach is no excuse. Choice of who looks after the data is just as important as your own defences.
I received one of the Play.com emails this morning, so assume my email address has been harvested.
OK, these things happen, but why oh why does Play.com then end their email with the following "advice", as if the customer is in any at fault...!
Please do be vigilant with your email and personal information when using the internet.
Its all your fault for being stupid and giving your details to such a mickey mouse company.
Well I can quickly remidy that.
Angry email following with a delete account instruction
There again, I never got the spam mails either and I've been a Play customer for many years.
I wonder if they were only giving come customer's details to the thrid party.
Play have been a sack of shit for sometime now. I won't use them unless I really have to these days.
When they started insisting on using the 3D secure type things
>> When they started insisting on using the 3D secure type things
AND still insisting on sending electronics items to the card holders address. If I've done 3D secure verification they should send it to any of my registered addresses.
Like silverpop is just a marketing email service of some sort.
I suspect its more likely that the either play.com lost a password or someone on the inside sold a list.
i've been receiving these adobe X update emails for weeks on my play.com only email addresses.
what i haven't received is he email from play about the breech.
Same guys? http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/
well spotted it does appear to be the same company, and that appears to be the data theft in question.
Unsurprisingly nothing (apology / explanation etc.) on the Silverpop web site about what happened ;-(
Like nigel 15, above, I received the spam email apparently about Adobe, but nothing from play.com about the breach, so I'm not sure play.com is entirely accurate when it says that "all [their] customers" were informed.
Oops - not the first time then...
I got the spam on sunday; but I have received no email from play.com warning me about this any time between december last year and today.
I am extremely concerned that my email address is being passed to third parties when I have explicitly stated in my account settings that I do not want to receive their newsletter.
This sounds like a contravention of data protection laws to me.
Read the email this morning and summed it up as "it's a third party, so not our fault, we're brilliant"
Third party or not, Play retain all responsibility and accountability, and to try and deflect it in the apology is a very poor course of action indeed. Thank God I use a disposable email account for all the companies I use.
Logged on to play, only to fine there is NO close account, so I have emailed them to formally requested to close my account and delete all my personal details. I would recommend we all do the same as there is nothing like losing accounts to force them to take more care with personal details - or just not tell us when they lose them next time.
Paris as she is always losing her personal stuff
At the bottom of plays email it mentions about reporting anything suspicious to firstname.lastname@example.org so they can investigate.
So I forwarded my 'Official' Adobe email to play and I think it would good if everyone did the same.
Its the first spam email I've recieved in that account after 5 years (used it loads of different things). Poor show play especially for diverting the blame away from themselves when its a company they themselves appointed...
Of course this was not a one off - their customer list is now in the hands of virus writers / spammers who will surely pass it on to others - so expect to receive more of these.
Very annoyed - just asked Play to 'remove' my account - will be interesting if they do!
...close your account it seems.
Got another piss-poor email last night apologising for any inconvenience caused by the Spam.
No apology for their mistake. Has this been reported to the information commissionaire?
Also got a specail offer email from them. Bloody cheek
Are they still using Silverpop?? Hope not - although the damage has been done.
Where is the line between it being an unavoidable criminal theft and them / their service provider being negligent?
All the personal information you hand over to Play is treated to "one of the most stringent internal standards of e-commerce security in the industry" except for the bits they outsource to "cheap as humanly possible" partners, who may apply rather less rigorous standards in order to cut costs. Play also reserve the right not to fess up to any information haemorrhage unless users actually catch them out, in which case they'll move very quickly to blame someone else, who they will now refer to as "supplier" rather than the previously chummy "partner".
Still no email from play.com despite getting spam, (same as frankster).
Considering also closing my account, but wonder if I can request proof that my details are fully gone from their systems. Not so sure trying to login once account has been "deleted" and not being able to still doesn't mean they hold info on me.
AC for obvious reasons.
Wasn't aware that they had been fingered in so many data losses. Might have to rethink using them...
Even asking play.com to remove your details probably won't stop you getting spam - someone got the email list from silverpop, not from play. Now they have the list, they aren't going to be validating it against play.com's data...
"We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps."
As a long standing customer I did not recieve this email, so the guy is clearly talking BS. I won't be ordering anything from Play.com in the near future.
Also, if they've passed your details on to a third party against your wishes, check that you've not entered any of their competitions as you have to opt-out again at the very bottom of each competition form. I have raised this with Paul Vane from the Jersey ICO on a number of occasions but he said that there was nothing that he could do about it.
Your best bet is to submit a complaint to the Jersey ICO; the more complaints they receive about a company the more they're likely to take action.
I've been a Play customer for years, though I don't recall seeing any dodgy emails or even apology emails.
I got the second letter from play.com today. I didn't get the first letter a day or so ago, and I didn't get notified at the time of the breach; but then, I didn't get the spam emails either.
So I assume that play.com have written to everybody who *might* have been compromised, because they and Silverpop-goes-your-confidentiality don't actually know whose addresses were lost and whose weren't.
But ooh lookee, lookee, what's this at the bottom of the latest email?
Well, well, it's a 1x1 blank gif that you wouldn't see if you weren't using a text-only email reader.
Now, what exactly is a company that said in its first letter (quote) "We take privacy and security very seriously" up to, in employing covert webbugs in its customer correspondence?
Just checked mine, and that is VERY naughty :(
That will be me off their newsletter list, and checking any order e-mails for similar spying!
Their claims that they "reacted immediately" and investigated things in December are completely bogus .. I got the "Adobe update" email on my Play.com-only address in the middle of December and informed Play at the time. Their response was basically "All our systems are perfectly secure, this could not have been our fault"
fscked by SHA-1 collision? Not so fast, says Linus Torvalds