Security breach at provider loses customer details

22 March 2011

playlogo Oh dear. It seems somebody's been lubing up your personal information good and proper, because nobody can keep a hold on it these days - not even

From 10pm last night, the online retailer began emailing its entire database to say that a security breach meant customer data may have been leaked. Here's what the email had to say:

We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected.  Please be assured this issue has occurred outside of and no other personal customer information has been involved.

Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.

So in fact it's not Play that suffered the security breach, it's a marketing firm that Play passed customer information onto. That's not that first time that's happened in the last few weeks; Grattan sent a similar email to it customers warning them that their information had been compromised, also pointing the figure at a third party 'service provider'.

It's unlikely there's any connection between the two (although there are marketing businesses that may sell information from mailing lists of both companies) but there's cause for concern regardless.

There's an astounding lack of transparency concerning how our data is being handled. In both instances an unnamed associate has lost an unknown amount of customer information and presumably we'll never be told what the outcome or consequences are, nor are we likely to know what disciplinary action occurred as a result. It's unlikely the ICO will take any action, meaning everyone involved will remain unaccountable. Or are we being too cynical?

Still, nice to see Play hasn't lost its sense of humour; after explaining they've screwed up by losing your personal data, Play's email then insists that customers be more careful with it.

Thanks to the two dozen avid readers who sent us the news!

TOPICS:   Privacy   High Street News


  • Dick
    I also got the email, and part of it is this: Please do be vigilant with your email and personal information when using the internet. At we will never ask you for information such as passwords, bank account details or credit card numbers. This is clearly wrong. They ask for a password and credit card number with every purchase. Maybe they should say emails from will never ask for information ...
  • Privacy P.
    Why should I be "assured this issue has occurred outside of" when it is Play that has shown terrible judgement in flogging my details to a buddy of theirs who seems to leak our personal data like a sieve
  • thingonaspring
    should i be worried that i *didn't* get an email about this then?
  • someone e.
    > Why should I be “assured this issue has occurred outside of”? Because play only sold (or passed on) your name and email address, not your postal address and bank details.
  • Mike
    We should be told who this '3rd Party' is - name and shame em...
  • The B.
    So this "breach", it was mailing data presumably, why was it on a server connected to the internet? Unless of course the "breach" was a member of staff flogging the details. I can't think of any reason why address data should be held in that fashion, if it was used for sending emails then you'd only need to upload the pertinent details (email address, name, any analytical groupings, etc), all of the address data would be held on the back end for analytics surely? It all sounds like a right Hassett.
  • Tim
    My understanding with Play was that I only accepted mailings from them. Why are they passing my data off to a third party without my knowledge?
  • gsrfd
    You accept mailings from Play. Therefore if Play hire a marketing company to do their communications, the mailings still in effect are coming from Play, but it's handled by the third party.
  • Andrew R.
    No data was sold, it's just stored with Silverpop (the ESP use to handle their email marketing). This is nothing untoward, anyone who cares about deliverability and proper email marketing will use an email service provider rather than send off their own IPs. And yes, play do fairly dumb 'broadcast' email marketing (i.e. it's not targeted or segmented like Amazon based on purchase activity or your gender) so it's highly likely they have your Email, Firstname and Surname only. My guess, and pure guess, is that a Silverpop employee has lost the data via Virus/Trojan or hacked email from a CSVExcel spreadsheet. I'd base this on that, if Silverpop's database had been compromised, I doubt it'd just be's data that would be at risk.
  • Will
    It doesn't make it any better that don't let you delete any saved addresses or even *credit card details* from your account. I know have absolved themselves of responsibility for this one, but it still shows that they'll quite happily whore off our data, unsecured. I guess i'll try and ask them to remove my account, just to be safe.. though there's probably no guarantee that they'll actually remove all my data from their server.
  • Richard A.
    They've since followed it up with this next email, received this evening: Dear Customer, As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again. We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure environment. has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue . Best regards, John John Perkins CEO
  • B.
    [...] Play emailed customers to warn them of the security breach but it was vague on the specifics. Clearly Bitterwallet wasn’t the only organisation to chase Play and ask the pesky questions customers wanted answers to – exactly who had made the bungle and how much personal data, if any, had been lost. Late last night, Play emailed customers again with an update: On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. [...]

What do you think?

Your comment