Who forwards your email?

A fascinating story is revealing itself via the management at play.com


Not your ordinary security breach seems to have taken place, but not from their owned and managed systems, but from one of their providers systems...

Dear Customer,

As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. 

We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses.  Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue . 

Best regards,


John Perkins

Confidentiality: This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this message from your computer without further action. Any dissemination, distribution or copying of this message or any files transmitted with it by an unauthorised recipient is strictly prohibited.
Viruses: This message has been swept for viruses but we cannot guarantee that this e-mail or its attachments are virus free nor accept responsibility for any virus inadvertently transmitted herewith.

Some interesting language going on there. "irregular activity" strikes me as an interesting turn of phrase and the fact that they've mentioned their third party by name on more than one occasion is also "of note" to my over paranoid eye.

Really makes me think about the safety or lack thereof in outsourcing or even the amount of trust we automatically place in third parties without a second thought.

This post originally appeared here: Posterous