Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • DonnyDave
    • By DonnyDave 20th Mar 11, 2:20 PM
    • 1,568Posts
    • 438Thanks
    DonnyDave
    Spam from "GSN" to e-mail address registered on Play.com
    • #1
    • 20th Mar 11, 2:20 PM
    Spam from "GSN" to e-mail address registered on Play.com 20th Mar 11 at 2:20 PM
    I have just received a spam message to play@mydomain which has only ever been given to online retailer Play.com:


    From: GSN - Play Every Day <GSNnews@email.gsn.com>
    Subject: Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now
    __________
    GETTING MORE DONE AT WORK NOW COMES IN A CONVENIENT BOX

    See how Adobe Acrobat X Reader is a step above anything you've experienced before, so you can be even more productive.

    Upgrade now: <spam link removed>

    Just how much faster can you work with Adobe Acrobat PDF Reader
    software? Fast enough to stay on top of last-minute changes, connect
    with key decision makers, and share updates with co-workers.

    You'll discover how easy it is to reuse content by exporting PDF files
    to Microsoft Word or Excel formats. And how quickly you can automate
    multi-step tasks with new, guided Actions. No wonder PC Magazine
    says, "There's a lot to like in Acrobat X PDF Reader." See for yourself at :

    <spam link removed>

    Copyright 2011 Adobe Systems Incorporated. All rights reserved.

    Adobe Systems Incorporated
    343 Preston Street
    Ottawa, ON K1S 1N4
    Canada
    I am concerned that this may be as a result of a security breach at Play.com.
    Last edited by DonnyDave; 20-03-2011 at 11:09 PM. Reason: Link removed
    Dave
    Say no to 0870!
Page 4
    • GustyGardenGalaxy
    • By GustyGardenGalaxy 21st Mar 11, 11:17 PM
    • 659 Posts
    • 243 Thanks
    GustyGardenGalaxy
    Well, if it's only our names and email addresses then I can handle that - I get enough spam as it is, a bit more is unlikely to be noticed. However, that's just me - this is going to be decidedly inconvenient for some who rarely get any spam.

    It's lucky for play.com that credit/debit card details weren't compromised.

    On the back of this I think I'll take my business elsewhere.
  • halfer
    Phew - I was worried for a moment that my personal details had been lost, whereas in reality all that's happened is that my personal details have been lost.
    Originally posted by dragonmeat
    Heh heh, very good!
  • halfer
    If you look at the thread on GSN, it looks like they are also investigating - remember there are a bunch of annoyed users who've received the same spam, but who have never been play.com customers. It'll be interesting to see what they come up with.
  • halfer
    Well, if it's only our names and email addresses then I can handle that - I get enough spam as it is, a bit more is unlikely to be noticed. However, that's just me - this is going to be decidedly inconvenient for some who rarely get any spam.
    Originally posted by GustyGardenGalaxy
    Yes, it could have been a lot worse. If this is the case, then it's good to see that play.com are not sending the whole customer record (eg billing and delivery addresses, tel numbers, etc) to external suppliers who categorically don't need it.

    Still haven't got an answer from them though
    • GustyGardenGalaxy
    • By GustyGardenGalaxy 21st Mar 11, 11:38 PM
    • 659 Posts
    • 243 Thanks
    GustyGardenGalaxy
    I wonder what would be the course of action if credit/debit card details had also been leaked?

    Would everyone have had to cancel their cards and get new ones issued?
  • halfer
    Yeah, almost certainly. Retailers don't usually store the 3-digit security number on the back of the card, but then not all transactions required this, I believe.

    Once (if) play get back to me, I will ask if they will consider a feature to remove credit card details. It's not hard to do, and improves customer trust. And they could probably do with a bit of that at the mo!
    • g33za
    • By g33za 22nd Mar 11, 12:08 AM
    • 698 Posts
    • 145 Thanks
    g33za
    I wonder what would be the course of action if credit/debit card details had also been leaked?

    Would everyone have had to cancel their cards and get new ones issued?
    Originally posted by GustyGardenGalaxy
    Assuming this were to happen the the PCI DSS rules kick in and it means huge fines and I believe they would have to bear the costs of all transactions including all legitimate ones and card replacement costs. Not a situation any company wants to be in.
    ummm...
  • Inactive
    If you want to delete your credit card number, you can replace it with a fake one:
    4111 1111 1111 1111
    Postcode: A1
    Phone number: 0
    And just make something up for everything else.
    Originally posted by VariousArtists

    Doesn't work, does anybody know how to delete card details?
    • Nilrem
    • By Nilrem 22nd Mar 11, 4:10 AM
    • 2,462 Posts
    • 1,633 Thanks
    Nilrem
    Protection Laws of Luxembourg."[/I]
    [/INDENT]I'm not sure a court would agree that passing data to a marketing agency comes within the definition of 'a range of services, including for fraud protection purposes.' Marketing has nothing whatsoever to do with any of the activities listed and their policy can't be interpreted as giving play.com the right to share our data with all and sundry . Far from resolving the issue, all their statement does is confirm their complicity in passing on our email addresses to third parties.

    Oh yeah, and what's with the 'may have been compromised' comment. Do they not yet accept that our data has leaked?
    Originally posted by Internet Pawn
    The "marketing" is almost certainly the company that handles Play's emails/newsletters and competitions - in other words someone Play would be legally allowed to share the info (name/email), as long as it was only used by that company in direct relation to the Play account under Play's instructions.

    It's pretty much exactly what most banks, and large companies do, they outsource certain aspects of the communications to companies who specialise in that job (you don't imagine for one moment your Bank owns the printers that do your bank statements? or prints all those leaflets/loan apps they like to send you in house?).
    Normally it's completely transparent to the end user and the company dealing with the data under contract wouldn't be allowed to use it for any other purpose (IE a company doing the emails for retailer A, wouldn't be allowed to use the details for retailer B unless the customer had opted to allow that, and retailer A had said ok).

    As long as (from memory) both the Primary Company (Play) and it's authorised agent (the company that handles it's marketing emails) are registered with the relevant Data Protection authorities, and normal safety procedures are followed (IE the data isn't knowingly misused, and the company takes recognised steps to protect the data*), it's completely legal - and probably safer than having a company who doesn't specialise in that particular field sending out regular news letters (for one thing doing it this way absolutely ensures the only details involved are the email address and name as it will be on a completely separate system to the Play one).

    What it looks like, is basically the Newsletter list has been compromised somehow, which is annoying, but not a major security issue.

    I'm mildly annoyed about it, but I'd rather a third party system got compromised, than the one that holds things like my full address and credit card.


    *And no matter how good those steps are, they aren't always 100% proof - even for banks, or when everything is in house.
  • Miss Qwerty

    What it looks like, is basically the Newsletter list has been compromised somehow, which is annoying, but not a major security issue.
    Originally posted by Nilrem
    Except that I opted out of the newsletters/competitions/emails/offers etc back in 2009 and have not received an email from them since - so why was my information there?
  • Internet Pawn
    The "marketing" is almost certainly the company that handles Play's emails/newsletters and competitions - in other words someone Play would be legally allowed to share the info (name/email), as long as it was only used by that company in direct relation to the Play account under Play's instructions.
    Originally posted by Nilrem
    Is it still legal if it is not covered by the company's own Data Sharing policy (as this isn't)? I understand why they did it - what I don't accept is that the agreement I had with them gives them the right to do it. I am sure you are right that lots of business outsource operations that involve passing on my private data, but I expect them to get my premission for it first. In Play's case, they only asked for (and got) permission to pass on our data in connection with processing transactions, which this isn't.
  • lionheart79
    Play still responsible
    The following sentence is irrelevant, and may even be considered an obfuscation of Play.com's responsibilities:

    Please be assured this issue has occurred outside of Play.com

    Play remain the "data owner" as they supplied customer email addresses and gave the 3rd party the remit to contact customers on Play's behalf. Play are therefore ultimately responsible for the protection of this data, no shirking allowed!

    That all said, a few more junk emails to my account that already gets dozens a day isn't the end of the world. I shall continue to do business with them where the deals are worthwhile.
  • Preacherbot
    First time poster here, long time lurker.

    I to have been getting the spam mails to from play.com, this wasn’t a massive concern for me.

    What is a massive concern to me is that last Tuesday someone attempted perform a balance transfer onto my card (the one stored with play.com).

    The fraudsters were on position of my name, address and email address...do we think this might be a coincidence?
    • GustyGardenGalaxy
    • By GustyGardenGalaxy 22nd Mar 11, 10:28 AM
    • 659 Posts
    • 243 Thanks
    GustyGardenGalaxy
    That does sound rather worrying - I think that we need absolute clarification from play.com that no customer credit/debit card details or addresses were involved in this 'security breach'.
    • DonnyDave
    • By DonnyDave 22nd Mar 11, 10:28 AM
    • 1,568 Posts
    • 438 Thanks
    DonnyDave
    The following sentence is irrelevant, and may even be considered an obfuscation of Play.com's responsibilities:

    Please be assured this issue has occurred outside of Play.com

    Play remain the "data owner" as they supplied customer email addresses and gave the 3rd party the remit to contact customers on Play's behalf. Play are therefore ultimately responsible for the protection of this data, no shirking allowed!
    Originally posted by lionheart79
    I'm not so sure, although can see why it may have been interpreted in that way. Removing the last part of the quoted sentence leaves out vital qualification and therefore leaves it open to mis-interpretation as you have done.

    The full sentence was "Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved."

    I read this as being a clarification that no other personal information is (or could have been) involved because it was an outside agency that is not provided with this information.

    Instead of this sentence, perhaps it would have been better conveyed as "Please be assured this issue does not involve other personal customer information as it occurred outside of Play.com. The company in question does not have access to customer details other than names and e-mail addresses."

    The first part of the sentence should have been the most significant point; i.e. that other personal data isn't affected, whereas Play.com opted to say that it wasn't it that leaked the data as the primary point.
    Dave
    Say no to 0870!
    • GustyGardenGalaxy
    • By GustyGardenGalaxy 22nd Mar 11, 10:30 AM
    • 659 Posts
    • 243 Thanks
    GustyGardenGalaxy
    It's now been covered by theregister:

    http://www.theregister.co.uk/2011/03/22/play_malware_spam/
    • Equaliser123
    • By Equaliser123 22nd Mar 11, 11:27 AM
    • 3,321 Posts
    • 2,485 Thanks
    Equaliser123
    In my view the email from Play.com is unacceptable and comes across as "not our fault, don't blame us". Not even any comment that they will report back after investigating.

    It is totally their responsibility to allay any concerns.
  • halfer
    It's okay for a company to outsource marketing, though I expect details flow to a marketing company immediately as soon as you sign up, and then an opt-out is sent afterwards, which should suppress any further contact. Of course, what should happen is that upon that opt-out, the third party should *delete* the record, not mark it, but as well all know, deleting data is anathema to most marketing companies, even the legitimate ones.

    But play.com's email is a bit, well, corporate, isn't it? A specific reassurance that credit card details are safe, and the name of the offending company, would be much better.
    • Equaliser123
    • By Equaliser123 22nd Mar 11, 12:20 PM
    • 3,321 Posts
    • 2,485 Thanks
    Equaliser123
    It's okay for a company to outsource marketing, though I expect details flow to a marketing company immediately as soon as you sign up, and then an opt-out is sent afterwards, which should suppress any further contact. Of course, what should happen is that upon that opt-out, the third party should *delete* the record, not mark it, but as well all know, deleting data is anathema to most marketing companies, even the legitimate ones.

    But play.com's email is a bit, well, corporate, isn't it? A specific reassurance that credit card details are safe, and the name of the offending company, would be much better.
    Originally posted by halfer
    Agreed. However, it is only ok to transfer data when there are "appropriate security restrictions" in place to protect that data. We don't even know where the third party is located!
  • halfer
    The fraudsters were on position of my name, address and email address...do we think this might be a coincidence?
    Originally posted by Preacherbot
    From the play.com statement, it looks like only names and email addresses leaked, not billing/postal addresses. The latter would be a bit more worrying, as it would go some way to enabling identity fraud.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

1,218Posts Today

7,097Users online

Martin's Twitter