McDonald's Data Breach: Supersized?

Uh-oh.

That McDonald's data breach I was telling you about Monday and which touched me personally may have just become much, much bigger than first indicated.

According to a ChicagoBusiness.com news report on the McDonald's data breach published yesterday, the e-mail distribution company that marketing company Arc Worldwide used and which was successfully hacked was identified as Silverpop Systems, Inc. of Atlanta, Georgia.

The ChicagoBusiness.com article states:

"Silverpop is a subcontractor of Chicago-based Arc Worldwide, one of McDonald’s longtime promotional agencies, which handles the promotional e-mail distribution. Arc hired Silverpop to manage that database....

"Silverpop, which has more than 105 customers and activity of more than 1 billion e-mails per month, notified its customers of the breach, according to the FBI spokesman. He says the attack appears to have come from an overseas location."

Silverpop clients include Air New Zealand, Edgar Online, Encyclopaedia Britannica, Mazda North American Operations, Stamps.com, and USA Financial, among others. 

Silverpop's CEO Bill Nussey said in a statement on his blog that the attack that penetrated his company's servers accessed only "a small percentage of customer accounts." He didn't elaborate, however, on exactly how many of his company's 105 clients this "small percentage" amounted to or the proportion they represent in terms of the billion emails the company sends out per month.

In addition, CEO Nussey stated that:

"It appears Silverpop was among several technology providers targeted as part of a broader cyber attack."

Hmm. Have other tech companies - especially in the email promotion and distribution business - been successfully hacked as well?

Already, at least one confirmed Silverpop client, deviantART, has sent emails out to its 13 million customers similar to that sent by McDonald's that their email addresses, usernames and birth dates may have been stolen, according to this post at the Erictric blog. A deviantART forum post here has the full email sent out by deviantART.

[Update: 15 Dec 2010

I received an email late this afternoon from Nicole Jordan of deviantART, who asked me to correct some inaccuracies in the above paragraph, which I am happy to do. She wrote that the total membership of deviantART is 16 million and that:

"Due to the ongoing investigation we're not at liberty to reveal the amount [affected] but it was not anywhere near our total membership."

Hopefully Nicole will let me know how many members were affected when that number can be made public.]

Furthermore, Walgreens has not publicly said its breach was linked to Silverpop, but this informative article appearing in The Register last night found a direct link between Walgreens and Arc Worldwide, which would strongly suggest that it may be.

[Update: 15 Dec 2010

Walgreens is saying today that its email hack was not related to Silverpop's according to this post at CNET news.]

As the Register article noted, Silverpop (nor Arc Worldwide) has not been very forthcoming about which of its clients have had their customer data stolen (maybe it doesn't know or is forbidden to tell because of corporate confidentiality clauses).

Moreover, the clients Silverpop has notified - other than perhaps Walgreens - seem to be taking their own sweet time to admit that their customer information has been taken.  And everyone involved - including Walgreens - seems to be trying to keep a tight lid on the story, especially concerning the number of customer email addresses compromised.

Maybe we can speed up the process of disclosure a bit, however.

If you have received in the past few days an email from a company that may be a Silverpop client (such as Air New Zealand, Edgar Online, Encyclopaedia Britannica, Mazda North American Operations, Stamps.com or USA Financials) saying that your email address has been compromised, obtained, stolen, etc. - and the email isn't from deviantART, McDonald's, or Walgreens (and is not part of the recent Gawker Media-related hack attack, which appears to be a separate issue) - please let me know.

Maybe Spectrum can find out whether the company sending you the email is related to the Silverpop breach or the "broader cyber attack" that Silverpop alluded to in its statement above.

Be sure, though, that this email isn't part of a spam or phishing attack. One can easily envision that those who stole the email addresses and other information from Silverpop will be exploiting it to send out realistic warnings of data theft which ask a person to click on a link which in turn leads to a malware site.

Being part of the McDonald's-related breach - and possibly several others related to it given I interact with many of the companies on Silverpop's client list -  I am expecting to receive such spam and or phishing emails very soon.