FBI agents looking into the theft of customer data belonging to
McDonald's are investigating similar breaches that may have hit more
than 100 other companies that used email marketing services from
Atlanta-based Silverpop Systems .
“The breach is with Silverpop, an email service provider that has over
105 customers,” Stephen Emmett, a special agent in the FBI's Atlanta
field office, told The Register. “It appears to be emanating from an
overseas location.”
He declined to provide further details.
Over the past week, at least two other sites – one known to have ties
to Silverpop and the other that appears to – offered similar warnings
to their customers. deviantART, a website that boasts more than 16
million registered accounts, warned its users that their email
addresses, user names and birth dates were exposed to suspected
spammers as a result of a breach at the email provider.
“Silverpop Systems, Inc., a leading marketing company that sends email
messages for its clients, told us that information was taken from its
servers,” devantART's email stated. “We can assure you that nothing
occurred on our systems with respect to this incident and no access
was gained to private information on deviantART's servers. Because we
value the information that members give us, we have decided not to
rely on the services of Silverpop in the future and their servers will
no longer hold any data from us.”
And late last week, Walgreens, the largest US drugstore chain, warned
that hackers stole a customer list and used it to send them phishing
emails that sought additional personal information.
Walgreens didn't say how the list was stolen, but according to this
press release, the drugstore chain uses Arc Worldwide as its
"promotional marketing 'agency of record.'" The marketing services arm
of Leo Burnett USA, Arc Worldwide was the same business partner that
hired the unnamed email database provider that lost the McDonald's
customer list. And as the press release here makes clear, Arc
Worldwide counts Silverpop as a partner.
A receptionist answering main number for marketing company Arc
Worldwide said she didn't have a public relations department to
transfer reporters to. A spokeswoman for Silverpop declined to answer
questions, but issued a statement that read in part:
When we recently detected suspicious activity in a small percentage of
our customer accounts, we took aggressive measures to stop that
activity and prevent future attempts. Among other things, we
unilaterally changed all passwords to protect customer accounts and
engaged the FBI's cybercrime division. It appears Silverpop was among
several technology providers targeted as part of a broader cyber
attack. We have notified all customers impacted by this activity. We
are currently focused on working with our customers, especially the
small percentage impacted by these events.
Beyond the cliche about chains being only as strong as their weakest
links, the lesson here is that companies that expose their customers'
secret data can't be trusted unless they come clean about what went
wrong and what they've done to prevent it from happening again. So
far, Silverpop hasn't done that, which is something readers should
remember the next time they're asked to share their personal details
with Salesforce.com, Ciena, Edgar Online; IBM's Coremetrics division
or Adobe's Omniture business unit, to name just a few.
No comments:
Post a Comment