Information security has been high on the agenda over the last week or so, following two high-profile data protection breaches by established and trusted online brands. Last Monday 21st March at 23.04, I received the following email from PLAY.COM
Dear Customer,
Email Security Message
We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.
We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.
Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.
Customer Advice
Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.
Thank you for continuing to shop at Play.com and we look forward to serving you in the future.
Play.com Customer Service Team
Apart from the obvious data security concern, two things immediately made me uncomfortable about this as a piece of crisis communication:
- the lack of detail: ‘a company’, ‘part of’ and ‘marketing communications’ are all a little vague, to say the least
- too much jargon: what exactly do they mean by ‘breach’ and ‘compromised’? Tell me what happened to my data!
As a result, I’m thinking, “there’s something more to it than this”. I was pretty angry at the lack of detail and the general tone. Maybe I wasn’t the only one, as this follow-up note arrived less than 24 hours later on Tuesday 22nd March at 21.31:
Dear Customer,
As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.
We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.
We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue .
Best regards,
John
John Perkins
CEO
Play.com
What a difference a day makes, 24 little hours…but it leaves me asking the question, ‘Why couldn’t you tell me this yesterday?’. In any form of crisis communication, it’s vital to get all of the known facts out up front, immediately after the apology. Holding back some important facts for 24 hours just fills me with suspicion.
How they should have handled it
Overall, it looks like it was a bad week for email data security and I also had the following note from the folks at TripAdvisor.com. However, you can immediately see the difference in quality of their approach…
|
|
|
|
|
|
|
|
|
Although this is far from ideal, I find myself congratulating TripAdvisor in the way this communication was handled, especially as it demonstrates why play.com got it so wrong:
- They provided the facts, in plain English, up front. An email list had been stolen. Not a ‘breach’ nor ‘compromise’ in sight.
- It had a tone that empathised with how I might feel and contained clear information and guidance on how it might affect me
- There was a link to further information
Congratulations TripAdvisor. They have demonstrated that it is still possible to deliver bad news in a positive, professional and reassuring way, without keeping me guessing.
I hope play.com take heed.
Steve Revill 
Pingback: Email data breaches: where will it end? « Steve Revill's Blog
Pingback: PLAY AGAIN? Will SONY win back customer trust following data breach? « Steve Revill's Blog
Greetings! This is my 1st comment here so I just wanted to give a quick shout out and say I really enjoy reading through your posts. Can you suggest any other blogs/websites/forums that deal with the same topics? Appreciate it!
Thanks for the feedback-much appreciated. Here’s a useful summary of some data breaches in 2011 http://www.informationweek.com/news/security/attacks/232301079
There’s also a blog by Brian Krebs that I found interesting at the time this was all kicking off. You can find his blog at http://krebsonsecurity.com/
Best regards,
Steve