According to a ChicagoBusiness.comnews report on the McDonald's data breach published yesterday, the e-mail distribution company that marketing company Arc Worldwide used and which was successfully hacked was identified as Silverpop Systems, Inc. of Atlanta, Georgia.
The ChicagoBusiness.com article states:
"Silverpop is a subcontractor of Chicago-based Arc Worldwide, one of McDonald’s longtime promotional agencies, which handles the promotional e-mail distribution. Arc hired Silverpop to manage that database....
"Silverpop, which has more than 105 customers and activity of more than 1 billion e-mails per month, notified its customers of the breach, according to the FBI spokesman. He says the attack appears to have come from an overseas location."
Silverpop's CEO Bill Nussey said in a statement on his blog that the attack that penetrated his company's servers accessed only "a small percentage of customer accounts." He didn't elaborate, however, on exactly how many of his company's 105 clients this "small percentage" amounted to or the proportion they represent in terms of the billion emails the company sends out per month.
In addition, CEO Nussey stated that:
"It appears Silverpop was among several technology providers targeted as part of a broader cyber attack."
Hmm. Have other tech companies - especially in the email promotion and distribution business - been successfully hacked as well?
Already, at least one confirmed Silverpop client, deviantART, has sent emails out to its 13 million customers similar to that sent by McDonald's that their email addresses, usernames and birth dates may have been stolen, according to this post at the Erictric blog. A deviantART forum post here has the full email sent out by deviantART.
[Update: 15 Dec 2010
I received an email late this afternoon from Nicole Jordan of deviantART, who asked me to correct some inaccuracies in the above paragraph, which I am happy to do. She wrote that the total membership of deviantART is 16 million and that:
"Due to the ongoing investigation we're not at liberty to reveal the amount [affected] but it was not anywhere near our total membership."
Hopefully Nicole will let me know how many members were affected when that number can be made public.]
Furthermore, Walgreens has not publicly said its breach was linked to Silverpop, but this informative article appearing in The Register last night found a direct link between Walgreens and Arc Worldwide, which would strongly suggest that it may be.
[Update: 15 Dec 2010
As the Register article noted, Silverpop (nor Arc Worldwide) has not been very forthcoming about which of its clients have had their customer data stolen (maybe it doesn't know or is forbidden to tell because of corporate confidentiality clauses).
Moreover, the clients Silverpop has notified - other than perhaps Walgreens - seem to be taking their own sweet time to admit that their customer information has been taken. And everyone involved - including Walgreens - seems to be trying to keep a tight lid on the story, especially concerning the number of customer email addresses compromised.
Maybe we can speed up the process of disclosure a bit, however.
If you have received in the past few days an email from a company that may be a Silverpop client (such as Air New Zealand, Edgar Online, Encyclopaedia Britannica, Mazda North American Operations, Stamps.com or USA Financials) saying that your email address has been compromised, obtained, stolen, etc. - and the email isn't from deviantART, McDonald's, or Walgreens (and is not part of the recent Gawker Media-related hack attack, which appears to be a separate issue) - please let me know.
Maybe Spectrum can find out whether the company sending you the email is related to the Silverpop breach or the "broader cyber attack" that Silverpop alluded to in its statement above.
Be sure, though, that this email isn't part of a spam or phishing attack. One can easily envision that those who stole the email addresses and other information from Silverpop will be exploiting it to send out realistic warnings of data theft which ask a person to click on a link which in turn leads to a malware site.
Being part of the McDonald's-related breach - and possibly several others related to it given I interact with many of the companies on Silverpop's client list - I am expecting to receive such spam and or phishing emails very soon.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.