Information security has been high on the agenda over the last week or so, following two high-profile data protection breaches by established and trusted online brands. Last Monday 21st March at 23.04, I received the following email from PLAY.COM

Dear Customer,

Email Security Message
 
We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.
 
We take privacy and security very seriously and ensure all sensitive customer data is protected.  Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved. 
 
Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.
 
Customer Advice
 
Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.
 
Thank you for continuing to shop at Play.com and we look forward to serving you in the future.
 
Play.com Customer Service Team

Apart from the obvious data security concern, two things immediately made me uncomfortable about this as a piece of crisis communication:

1. the lack of detail: ‘a company’, ‘part of’ and ‘marketing communications’ are all a little vague, to say the least 
2. too much jargon: what exactly do they mean by ‘breach’ and ‘compromised’? Tell me what happened to my data!

As a result, I’m thinking, “there’s something more to it than this”. I was pretty angry at the lack of detail and the general tone. Maybe I wasn’t the only one, as this follow-up note arrived less than 24 hours later on Tuesday 22nd March at 21.31:

Dear Customer,

As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. 

We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses.  Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue . 

Best regards,

John

John Perkins
CEO
Play.com

What a difference a day makes, 24 little hours…but it leaves me asking the question, ‘Why couldn’t you tell me this yesterday?’. In any form of crisis communication, it’s vital to get all of the known facts out up front, immediately after the apology. Holding back some important facts for 24 hours just fills me with suspicion.

How they should have handled it

Overall, it looks like it was a bad week for email data security and I also had the following note from the folks at TripAdvisor.com. However, you can immediately see the difference in quality of their approach…

To our travel community:

This past weekend we discovered that an unauthorised third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.

How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.

I’d also like to reassure you that TripAdvisor does not collect members’ credit card or financial information, and we never sell or rent our member list.

We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologise for this incident and appreciate your membership in our travel community.

Steve Kaufer Co-founder and CEO

More information

Although this is far from ideal, I find myself congratulating TripAdvisor in the way this communication was handled, especially as it demonstrates why play.com got it so wrong:

1. They provided the facts, in plain English, up front. An email list had been stolen. Not a ‘breach’ nor ‘compromise’ in sight.
2. It had a tone that empathised with how I might feel and contained clear information and guidance on how it might affect me
3. There was a link to further information

Congratulations TripAdvisor. They have demonstrated that it is still possible to deliver bad news in a positive, professional and reassuring way, without keeping me guessing. 

I hope play.com take heed.