A number of Play.com customers have received spam, following the website’s credit card security breach, suggesting that someone is using their compromised customer data.
On the MoneySavingExpert.com forum, several users complained that the email address they use for Play.com, was receiving spam. One user said, “I received two this morning. One sent to my play@ [my domain] and the other to play247@ [my domain] which is clearly an address I’ve held for many years as I forgot I even had it or that Play even had a different name back in the day! So the addresses they’ve got must be going back years. And some people wonder why every company I give my details to I use their name @ [my domain].. Caught plenty of them this way.”
On his countermeasures blog, Rik Ferguson, director of security research and communications at Trend Micro, urged Play.com customers to complain to the Information Commisioner’s Office. Under the Data Protection Act 1998, companies that collect personal data have an obligation to keep the data secure.“If you have received one of these notification emails and have any concerns, you can make a direct complaint to the Information Commissioner’s Office,” Ferguson said.
“While it is a good thing that Play.com issued a statement to let customers know about the security breach, it does not offer any information about what people should do if they notice any unusual activity on their Play.com account,” said Mark Harris, V-P of SophosLabs.
“The full extent as to what information has been leaked is not clear, but any security breach involving the loss of customer information is extremely serious – even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customer’s data. Play.com customers should exercise additional caution when accessing their e-mails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com.”