Abriendo la caja de pandora...

El servicio de atención al cliente de Play.com envió el siguiente e-mail a todos sus clientes la noche del 21 de Marzo:

Dear Customer,

Email Security Message

We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.

Customer Advice

Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.

Thank you for continuing to shop at Play.com and we look forward to serving you in the future.

Play.com Customer Service Team

En este texto el S.A.T. da a entender que se ha detectado una brecha de seguridad en la empresa que contratan para temas de marketing y que es bastante probable que haya sido robada la lista de direcciones de e-mail donde figuran los usuarios suscritos a su servicio de newsletters.

Básicamente este correo pretendía aclarar un par de puntos vitales: Primero, que los únicos datos sustraídos son el nombre real de sus clientes y sus respectivas direcciones de e-mail. Y segundo, que estemos alerta ante posibles ataques de phishing y que bajo ningún concepto ningún miembro de Play.com nos enviará e-mails solicitando datos como la contraseña, nuestros datos bancarios o el número de nuestra tarjeta de crédito.

Muy loable la acción informativa de Play.com, pero lógicamente este correo electrónico generó alarmismo y a su vez alertó a la prensa con titulares amarillistas a más no poder:

Hace escasos minutos John Perkins, CEO de Play.com, ha enviado un segundo e-mail para apaciguar a las fieras:

Dear Customer,

As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.

We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue .

Best regards,

John

Según nos comenta el mandamás de la empresa, varios clientes reportaron el día 20 de Marzo que estaban recibiendo spam en cuentas de correo que usan exclusivamente para comprar en play.com. "John" nos da a entender que esto se debe a un posible robo de datos producido en Diciembre en Silverpop (la empresa que contratan para ocuparse de su servicio de newsletters). Digo "piensan" por que según el CEO de Play.com las pruebas recolectadas en Diciembre no pueden demostrar que se hubiera producido la descarga de la lista de correo. En todo caso remarca que el robo de datos se produjo fuera del sistema de Play.com y que es imposible que se haya filtrado información de carácter sensible.




Por su parte el CEO de Silverpop ha publicado el siguiente texto en el blog de su empresa:

In light of several news articles recently making headlines, we wanted to clarify a situation that we first told you about back in the fall of 2010 when it took place. At that time, Silverpop and a small percentage of our customers were among the victims of an industrywide cyber attack. We very quickly stopped the attack, notified all customers impacted by the activity and began working with law enforcement and third-party security experts to help identify those responsible and take any additional steps necessary to ensure this did not happen again. We are confident that the compromise last year remains an isolated incident.

While Silverpop never publicly discloses the names of our customers, we do respect their decisions to inform their customers about situations they feel they need to be aware of. Unfortunately, this means we are not in control of the timing of these announcements.

We want to make it clear that there have been no additional incidents involving the security of our customers’ data since the incident we uncovered in the fall of 2010. 

Bill Nussey

Esta parte sí que mola ;). Según nos comenta "Billy", su empresa notificó a Play.com que en Diciembre sufrieron un ataque. Es más, si nos fijamos en ningún momento nombran a Play.com... si no "a un pequeño porcentaje de nuestros clientes". Están hablando en plural. Acojona, ¿verdad? Bueno, pues en la web de esta empresa podemos ver una pequeña muestra de la clase de clientes que tiene Silverpop en cartera:

Ahora todo encaja...