Many customers of play.com will have opened their inboxes this morning to find some unwelcome news from the online retailer.
Email Security Message
We are emailing all our customers to let you know that a company that handles part of our marketing commmunications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.“
The email does not offer any details of which subcontracted marketing agency was breached, or how that breach occurred, which is a shame as it seems a reasonable assumption that the agency in question would also be holding customer details on behalf of other companies.
Play.com go on to say:
“We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.”
The fact that it is a third party that has suffered the breach will not protect Play.com from falling foul of the Data Protection Act, the Data Controller (Play.com) remains responsible for the security of data handled by subcontracted third parties (known as Data Processors).
I called the Information Commissioner’s Office this morning to check if they had been notified of this data breach, they were unable to locate any recent notification on behalf of Play.com. According to the lady I spoke to there, play.com are only required to notify the Information Commissioner of a breach “if they consider it serious”. Play.com certainly considered it serious enough to notify their customers, so we can only hope the official notification is making its way through the correct channels.
Unfortunately the email from play.com to their customers does not contain any contact information for worried customers, only the advice “Please do be vigilant with your email and personal information when using the internet“, which seems a little ironic under the circumstances.
Online discussion forums seem to already show evidence that the stolen email adresses are being used for spamming.
If you have received one of these notification emails and have any concerns, you can make a direct complaint to the Information Commissioner’s Office by downloading this form and following the instructions on this page over at the ICO.