How far did McDonald's-tied data breach ripple?

At least two companies with ties to e-mail database management firm are forced to warn customers of breach. Are there more?

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Silverpop CEO Bill Nussey points out that his company is not alone in being victimized by a data breach.
Silverpop CEO Bill Nussey points out that his company is not alone in being victimized by a data breach. Silverpop

A data breach at e-mail database management firm Silverpop prompted McDonald's and at least one other Web site to warn subscribers, but it's unclear just how many companies are affected.

McDonald's told customers this week that in addition to e-mail addresses, other information may have been exposed such as name, postal address, and phone number. The data was managed by an unnamed company hired by its marketing partner, Arc Worldwide.

However, the company was revealed to be Silverpop in this ChicagoBusiness.com report, which quotes an FBI spokesman as saying that Silverpop has more than 100 customers and that the attack appears to have come from overseas. An FBI spokesman declined to provide comment to CNET today.

Meanwhile, artist community Web site DeviantArt sent an e-mail to its users saying that user names and birth dates, along with e-mail addresses, may have been swept up in a spam-related breach at its marketing e-mail provider Silverpop. "Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us," the e-mail said.

A Silverpop spokeswoman declined to identify any of its clients by name or say how many customers were affected by the compromise other than to say it was a "small percentage."

"It appears Silverpop was among several technology providers targeted as part of a broader cyberattack," Silverpop said in a statement. The spokeswoman would not elaborate, but a blog post by Silverpop Chief Executive Bill Nussey today would suggest the company wants to make it clear that they are not the only company that has suffered a breach.

"The media has recently been covering the security disclosures of several large brands," Nussey wrote. "It is important to clarify that several of these large brands have never been Silverpop customers. I'm hopeful it is clear that the disclosed attacks cover multiple companies in our space and we, as an industry, need to work together to protect the security of all of our customers."

Indeed, there have been several other attacks reported recently, including one involving 1.3 million user accounts at a blog empire and a large pharmaceutical retailer.

Walgreens had a breach that exposed customer e-mail addresses last week but a spokesman said he was confident that the incident was not related to any other public breaches, despite the fact that the company had a contract for promotional services with Arc Worldwide as of last year, according to this statement. The Walgreens compromise was unrelated to Arc Worldwide or Silverpop, Walgreens spokesman Michael Polzin told CNET today.

Walgreens warned customers in an e-mail on Friday that they might be targeted by phishing e-mails purporting to be from the company that ask for additional information like credit card information. Polzin declined to say how many customers were affected or how the e-mail addresses were compromised, but said only e-mail addresses were exposed. The company is working with the FBI on the investigation, he said.

Then there is the highly publicized breach of the Gawker blogging sites in which individuals calling themselves "Gnosis" got access to the company's Web site and back-end database and posted user names, passwords, e-mail addresses, and other sensitive Gawker communications to The Pirate Bay Bit Torrent site over the weekend.

Because so many people use the same password on multiple accounts, the breach puts those users' accounts on other sites at risk of hijack. After the Gawker breach, Twitter accounts were found to be used to send spam. To prevent any similar problems from happening, LinkedIn disabled passwords of users whose e-mail addresses were also used on Gawker, and Yahoo reportedly asked users to reset passwords, but did not say it was related to Gawker. (For more details on the Gawker incident read this FAQ.)