Play.com, one of Britain's best known online retailers, has suffered a security breach that has compromised customer's email addresses and names.
Play has issued an email to customers admitting the problem and blamed its third-party marketing communications company for the leak.
That may be little comfort for customers who assumed their data was being kept secure when they handed it over to the retailer, but it does at least mean that financial information such as credit card details have not been compromised.
UPDATE: Play.com's CEO, John Perkins, has released the following statement:
"On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.
"We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.
"We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue."
Security breach
"We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach," said Play's customer email.
"Unfortunately this has meant that some customer names and email addresses may have been compromised.
"We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved."
Customers are urged to be vigilant – and keep an eye out for suspicious looking email contacts. We've contacted Play for its official stance on this incident.
Security team response
"While it is a good thing that Play.com issued a statement to let customers know about the security breach, it does not offer any information about what people should do if they notice any unusual activity on their Play.com account," said Mark Harris, VP of SophosLabs.
"The full extent as to what information has been leaked is not clear, but any security breach involving the loss of customer information is extremely serious – even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customer's data.
"Play.com customers should exercise additional caution when accessing their emails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com."
