Play.com warns of customer e-mail security breach

Play.com has warned its customers to "be vigilant" after a security breach led to some personal information being compromised.

The retailer, which sells music, videos and games, blamed another company that it employs to do marketing.

It said that no payment details were stolen, but asked users to beware of spam e-mails containing harmful links.

The company has apologised saying it had "taken every step to make sure this doesn't happen again".

In a statement, Play.com's chief executive John Perkins said: "On Sunday 20 March some customers reported receiving a spam e-mail to e-mail addresses they only use for Play.com."

"We believe this issue may be related to some irregular activity that was identified in December 2010 at our e-mail service provider, Silverpop.

"Investigations at the time showed no evidence that any of our customer e-mail addresses had been downloaded.

"We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps."

The retailer, which operates out of Jersey, said that all of its customers had now been warned to be cautious of e-mails appearing to come from Play.com.

It has also requested that any suspicious messages be forwarded to privacy@play.com.

US-based firm Silverpop was employed by the site in 2008 to manage e-mail marketing and communications.

Silverpop's manager of corporate communications, Stacy Kirk, told the BBC that the only security issue it had been affected by happened last year, and that it had notified all affected clients at the time.

"Silverpop was among several technology providers targeted as part of a broader cyber attack that occurred in the fall of 2010," she said.

"At that time, we very quickly stopped the attack, notified all customers impacted by the activity and began working with the FBI, law enforcement and third party security experts to help identify those responsible and take any additional steps necessary to ensure this did not happen again.

"We are confident that the breach last year remains an isolated incident."

Ms Kirk would not confirm that Play.com was among those contacted due to client confidentiality.

Some users on Twitter and in discussion forums have reported an increase in spam e-mail to accounts signed up to Play.com, with some of these e-mails containing links to websites containing malware.

Phishing scams are designed to trick users into believing they are sharing data with a company that they trust, and giving out personal information such as a credit card details.

However, it cannot be confirmed that the e-mails were sent as a result of the data breach at Play.com.

Some customers who received Play.com's warning e-mail questioned its validity as it did not refer to them by name.

Play.com's website currently contains no notice or guidance about the breach.

Many users have also complained that it is currently not possible to manually remove credit card details from the site.

Paul Vlissidis, technical director of IT security firm NGS Secure, said that such situations are a major concern for retailers and their customers.

"Online businesses, even those of Play.com's size, cannot afford the loss of reputation and customer trust that negligence of this type causes," he said.

"While it is a weakness in the security of a third party that has allowed this data breach, it is the responsibility of all organisations dealing with personal customer data to ensure comprehensive security audits have been carried out in all areas of outsourced work."

Mr Perkins has moved to re-assure customers that other data kept with Play.com is safe.

"We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment.

"Play.com has one of the most stringent internal standards of e-commerce security in the industry.

"On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue."