The e-mail says: "We are e-mailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and e-mail addresses may have been compromised."
Play.com urged its customers to be vigilant with their e-mail and personal information when using the internet. "At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your e-mail, please do not click on any links and forward the e-mail to privacy@play.com for us to investigate."
Reports suggest that a number of Play.com customers have received spam, following the website's credit card security breach, suggesting that someone is using their compromised customer data.
On the MoneySavingExpert.com forum, several users complained that the email address they use for Play.com was receiving spam. One user said: "I received two this morning. One sent to my play@ [my domain] and the other to play247@ [my domain] which is clearly an address I've held for many years as I forgot I even had it or that Play even had a different name back in the day! So the addresses they've got must be going back years. And some people wonder why every company I give my details to I use their name @ [my domain].. Caught plenty of them this way."
On his countermeasures blog, Rik Ferguson, director of security research and communications at Trend Micro, urged Play.com UK-based customers to complain to the Information Commisioner's Office. Under the Data Protection Act 1998, companies that collect personal data have an obligation to keep the data secure.
"I you have received one of these notification emails and have any concerns, you can make a direct complaint to the Information Commissioner's Office," Ferguson said.
"While it is a good thing that Play.com issued a statement to let customers know about the security breach, it does not offer any information about what people should do if they notice any unusual activity on their Play.com account," said Mark Harris, VP of SophosLabs.
"The full extent as to what information has been leaked is not clear, but any security breach involving the loss of customer information is extremely serious – even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customer's data. Play.com customers should exercise additional caution when accessing their e-mails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com."
This story was first published by Computer Weekly