UPDATED: Play.com hit by security breach

gallery

Play.com has admitted to losing a number of names and email addresses thanks to a security breach at a third party company.

The online retailer emailed its users late last night to inform them of the breach, which hit the firm paid to deal with Play.com’s marketing communications.

However, no details were released explaining how the losses occurred or how many of its customers it had affected.

The email warned customers the company never asked for passwords, bank details or credit card numbers over email so if they received anything that looked suspicious, they should forward it on to privacy@play.com.

“We take privacy and security very seriously and ensure all sensitive customer data is protected,” the email from Play.com's customer service team read.

“Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.”

The Information Commissioner's Office (ICO), which is responsible for enforcing the Data Protection Act, could fine the company up to £500,000 if it considered the breach serious enough. But when IT PRO spoke to the organisation this morning, it said it had yet to be notified of the issue.

Rik Ferguson, director of security research and communication at Trend Micro, told IT PRO although it was only emails and names lost, it was still "personally identifiable information" so would "count" if the ICO chose to pursue the case.

When asked whether customers should be worried, Ferguson claimed they should just remain vigilant, even if they didn't receive the warning email.

“I know I didn’t get an email but my colleague got one,” he explained. “They may have expunged their database, or only notified those affected, but it is hard to know when they have revealed so little information about [the breach].”

“Customers should be concerned though as the association of a name and email address along with where you have shopped is still enough to launch a credible phishing attack, for example.”

Ash Patel, country manager in the UK and Ireland for Stonesoft agreed, telling IT PRO: “Despite the fact that Play.com is reassuring its customers that hackers didn’t steal important financial data and that they only managed to get away with names and emails addresses doesn’t make this any better."

"The hackers could now use the addresses and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC.”

Whilst the third party responsible for the breach is under no legal obligation to make more details known, Ferguson hoped it would reveal more to reassure customers.

“There is not any obligation to offer more information but... if it is an outsourced agency, one can assume they have more than one customer," he said.

"If they could explain how the breach happened, to what extent and what customers were affected, it would put minds at ease and show best practice.”

IT PRO contacted Play.com this morning to ask for more details on the security breach, but it had not returned our request at the time of publication.

Email to a friend

Print this page