Court Rules SilverPop Not Liable for Damages After Data Breach

Back in 2010 and 2011, I posted a number of blog entries about a breach at SilverPop. SilverPop was not particularly transparent/forthcoming about the scope of the breach, but it seemed to be pretty large. Today, Ryan M. Martin of Winston & Strawn LLP writes: A Georgia court recently agreed on a summary judgment motion that a digital marketing contractor was not monetarily responsible for an unauthorized intrusion into its computer network. In the case, Silverpop Systems, Inc., the digital marketing contractor, entered into a service agreement with Leading Marketing Technologies, Inc. (Leading Marketing) that permitted Leading Marketing to upload content to Silverpop’s web-based e-mail marketing tool so Silverpop could send out messages on Leading Marketing’s behalf. (Silverpop Sys., Inc. v. Leading Mkt. Techs., Inc., No. 12:-cv-02513-SCJ (N.D. Ga. Feb. 18, 2014). In November of 2010, Silverpop’s web-based system was hacked, potentially affecting the security of the nearly 500,000 e-mail addresses Leading Marketing had uploaded to the system. After an investigation, Silverpop could not confirm whether any information was exported from its system. Silverpop informed Leading Marketing of the incident. Leading Marketing continued to use the services for several months while withholding payments to Silverpop. Silverpop filed a declaratory action seeking payment. Leading Marketing counterclaimed, arguing that it was justified in withholding payment since Silverpop had failed to keep the addresses secure. Leading Marketing presented a variety of legal claims in support of its argument, including negligence. In finding for the vendor, the court found that Leading Marketing had failed to present evidence regarding the applicable standard of care regarding data breaches in its industry. Read more on Winston & Strawn. Leading Market Technologies was not one of the affected SilverPop customers that we knew about back in 2010 and 2011, but if they had uploaded 500,000 customers’ email addresses to SilverPop, I wonder how large that SilverPop breach really was.

Stolen SilverPop laptop results in notifications

The name “SilverPop” may not seem familiar to some readers of this blog, but if you also read, you’ll recognize it as the name of an e-mail marketing service that got hacked a while back.  As a consequence, a number of its clients wound up having to notify their customers that their email addresses had been acquired by hackers.  It seems that wasn’t all of SilverPop’s problems, however, as  HHS’s breach tool shows that they reported that a Health & Welfare Plan laptop stolen on April 15th held PHI on 884 individuals. users newest victims of SilverPop breach

Anh Nguyen provides an update on a breach reported on  yesterday. At the time, I had raised the possibility that the breach might be linked to a previously known breach involving SilverPop. It turns out that was the explanation: has emailed its customers again to shed more light on the security breach it revealed two days ago. The online retailer’s CEO, John Perkins, said that the company was alerted to a security breach when some customers reported receiving spam email to addresses they only use for In an initial email alert to customers, said that a security breach at a third-party company that handles its marketing communications had had a security breach, which meant that “some customer names and email addresses may have been compromised.” However, not all customers have received an email security alert, which suggests that those who did are the ones that have been compromised. The company has now revealed that the third-party company is email service provider Silverpop, which has been managing’s email marketing since 2008. Read more on Computerworld. Now to find out if customers have also become victims of that breach, as I’ve received several emails indicating that their customer email database has also been compromised.   In light of all of the recent breaches involving email lists, it really would be helpful for SilverPop to issue a list of clients whose data were compromised. I doubt if they’ll do that, of course, but it would sure be helpful keeping all of these breaches straight. [last line corrected to complete it.]

Silverpop’s response to media coverage of breaches

In response to recent news coverage indicating that breaches affecting McDonald’s, DeviantART customers (and possibly Walgreens customers?) were due to a breach at Silverpop, their CEO Bill Nussey responds on Silverpop’s blog: The forensic investigation into the cyber attack on our company and customers has yielded some valuable insights. First, we have confirmed that our quick reaction to reset customer passwords was successful in halting the attack. Second, the specialized monitoring systems run by our outside experts continue to confirm that our existing and enhanced security measures are successfully protecting our application and our customers. Third, we are confident that our application infrastructure, the servers and networks behind our products, was not targeted or compromised as part of this attack. Fourth, third-party experts have confirmed that the attack was particularly sophisticated and we are working with customers and industry peers to share what we have learned. In parallel to our customer and security-focused efforts, we continue to work with law enforcement to identify the criminals that have targeted us and several other companies in our industry. Stephen Emmett, one of the FBI special agents we have been communicating with, allowed me to share the following: “We have been and continue to work with Silverpop and others in the industry who have had criminals attempt to breach their systems and security safeguards. We are focused on identifying those that committed these cybercrimes and bringing them to justice.” The media has recently been covering the security disclosures of several large brands. It is important to clarify that several of these large brands have never been Silverpop customers. I’m hopeful it is clear that the disclosed attacks cover multiple companies in our space and we, as an industry, need to work together to protect the security of all of our customers. For the time being, our efforts will remain focused on the security of our applications and customer data, working with law enforcement and communicating with our customers, especially the small percentage who were negatively impacted by these attacks. Rather than saying that “several of these large brands have never been Silverpop customers,” it would be better to just be clear which ones are not their customers, as they owe them no duty of confidentiality if they are not customers. That way, the media can get the story right.

Survey: 18% of Health Employees Would Sell Confidential Data

Those who said they were willing to sell the data would do so for as little as between $500 and $1,000. Alexandra Wilson Pecci reports: Patients trust their healthcare providers to keep their data safe, but according to a new survey, that trust might sometimes be misplaced. The Accenture survey found that nearly one in five health employees (18%) said they would be willing to sell confidential data to unauthorized parties. In fact, the respondents who said they were willing to sell the data would do so for as little as between $500 and $1,000. Read more on HealthLeaders Media. h/t, Matt Fisher 

Confidentiality language may not throw you into the breach!

Lisa A. Carroll, Martin B. Robins, David G. Kern and James M. Fisher II of Fisher Broyles write: A recent 11th Circuit case may – if followed elsewhere and not reversed by the US Supreme Court – reduce a company’s potential exposure under conventional contract language requiring sensitive materials to be held in confidence. Many companies have been concerned that such language would make them liable if they were the victim of a third-party data breach as opposed to an intentional disclosure by one of their employees or contractors. […] In Silverpop v. Leading Market Technologies, 2016 U.S. App. LEXIS 196, the US Court of Appeals for the Eleventh Circuit held that losses associated with a data breach “are best characterized as consequential” and recovery on a contract claim should be barred when the contract contains a prohibition the award of consequential damages. The Court further found that negligence claims for such data breaches would be barred due to the lack of an applicable standard of care, as well as by the economic loss rule. Thus, absent proof of negligence or specific contractual language that is on-point, a data breach of itself does not constitute a breach of the obligation to take reasonable measures to safeguard confidential material under a confidentiality provision. Read more on Lexology while I go pour some more coffee and try to find someone to translate this into non-legalese for me. customers report spam following breach at third-party marketing firm

Network Security Report reports:, one of the largest online retailers of consumer goods, has suffered a security breach. In a warning to customers, has said that customer names and email addresses may have been compromised. is washing its hands of direct responsibility, claiming that a third party on its marketing communications team is at fault. Read more on  Network Security Report. This is not the first time had a breach that they blamed on a third-party marketing firm. In 2011, they disclosed that spam email addressed to customers was due to a breach at SilverPop. And if this was a breach at an unnamed third-party marketing firm, how many other of the firm’s clients have been been impacted – and how many consumers?

Forbes Breach Email Statistics

Total of 1,056,986 E-mail’s Found are unique. Total of 111,735 E-mail Providers 564  FORBES.COM 844 .GOV 14,572 .EDU Below is a list of all email providers that have 2 or more in the breach. (full list here) Article: [407769] [181617] [86667] [25032] [20092] [17472] [11368] [9842] [7922] [7454] [6940] [6338] [6302] [5130] [4199] [4158] [4009] [3439] [3199] [2992] [2942] [2590] [2512] [2435] [2376] [2173] [1766] [1649] [1564] [1525] [1458] [1272] [1191] [1132] [984] [915] [904] [868] [863] [863] [826] [762] [735] [729] [699] [651] [604] [603] [518] GMAIL.COM: [510] [491] [485] [454] [450] [441] [436] [436] [429] [426] [424] [414] [412] [407] [403] [395] [389] [387] [364] [345] [337] [330] [326] [321] YAHOO.COM: [318] [309] [305] [303] [302] [287] [286] [282] [282] [282] [282] [279] [271] [264] [262] [259] [255] [253] [251] [244] [240] [235] [233] [227] [226] [225] [223] [216] [211] [208] [208] [208] [208] [203] [202] [199] [195] [193] AOL.COM: [191] [189] [188] [187] [187] [187] [186] [183] [183] [182] [182] [181] [180] [179] [177] [174] [174] [173] [172] [169] [168] [165] [164] [162] [160] [159] [158] [156] [156] [153] [152] [152] [151] [150] [150] [150] [147] [145] [144] [144] [144] [142] [142] [140] [138] [137] [136] HOTMAIL.COM: [136] [135] [134] [133] [133] [132] [131] [131] [131] [129] [129] [127] [126] [125] [124] [121] [121] [121] [121] [120] [119] [119] [117] [116] [115] [115] [114] [114] [111] [110] [110] [109] [108] [108] [108] [107] [106] [106] [105] [105] [104] [104] [103] [103] [102] [102] [101] [100] [99] [99] [99] [98] [98] [98] [98] [96] [96] [94] [94] [94] [94] [91] [90] [90] [90] [89] [88] [88] [87] [87] [87] [86] [86] [85] [85] [85] [84] [84] [84] [84] [84] [83] [83] [83] [82] [82] [81] [81] [80] [80] [79] [78] [78] [77] [77] [77] [76] [76] [75] [75] [74] [74] [74] [73] [73] [73] [72] [71] [70] [70] [69] [69] [68] [68] [68] [68] [68] [67] [67] [66] [66] [66] [65] [65] [65] [64] [64] [62] [62] [61] [61] [60] [59] [59] [59] [59] [59] [59] [58] [58] [58] [58] [58] [57] [56] [56] [55] [55] [55] LIVE.COM: [54] [54] [54] [54] [54] [53] [53] [53] [53] [53] [52] [52] [52] [52] [51] [51] [51] [51] [51] [51] [51] [51] [50] [50] [50] [50] [50] [50] [49] [49] [49] [48] [48] [48] [48] [48] [48] [48] [48] [48] [48] [48] [47] pzu-doradca.kobierzyce: [47] [47] [47] [47] [47] [47] [47] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [44] [44] [44] [44] [44] [44] [44] [43] [43] [43] [43] [43] [43] [43] [43] [43] [42] [42] [42] [42] [42] [41] [41] [41] [41] [41] [41] [41] [41] [41] [41] [40] [40] [40] [40] [40] [40] [40] [39] [39] [39] [39] wegiel-plock.wielun: [39] [39] [39] [39] [39] [39] [39] [39] [39] [39] [39] [38] [38] [38] [38] [38] [38] [38] [38] [38] [38] program-motywacyjny.mazowsze: [38] [38] [38] [38] [38] [38] [38] [38] [37] [37] [37] [37] czesci-fadroma.lowicz: [37] [37] [37] COMCAST.NET: [37] domy-z-bali.kutno: [37] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] osk-wloclawek.podhale: [36] [36] [36] [35] mycie-para.sanok: [35] [35] [35] [35] [35] [35] [35] wczasy-egipt.tgory: [35] [34] [34] [34] [34] […]

Breaches without details (updated)

When HHS’s breach tool reveals a breach I was not already aware of, I try to investigate or find media sources. Sometimes, despite my efforts, I can find nothing online to clarify a breach report. In some cases, I write to the organizations, who may – or may not – answer. Here are some breaches reported to HHS this year where we have no additional details. Each entry gives the name of the covered entity, the state, the number of patients reportedly affected, the date of the incident, and what the breach involved. If you have more info on any of these, please let me know or post a link. Amerigroup Community Care of New Mexico, Inc,NM,,”1,537″, 7/15/2011,Theft,Paper Stone Oak Urgent Care & Family Practice,TX,,”3,079″, 10/23/2011,Theft/Loss,Computer (see this post) Conway Regional Medical Center,AR,,”1,472″, 8/24/2011,Loss,Other (CDs) UCLA Health System,CA,,”2,761″, 9/7/2011,Theft,Other Portable Electronic Device (see update below) Julie A. Kennedy, D.M.D., P.A.,FL,,”2,900″, 9/30/2011,Theft,Network Server Knox Community Hospital,OH,, “500”,  10/1/2010,Improper Disposal,Other (X-ray film) Centro de Ortodancia ,PR,,”2,000″,  5/6/2010,Unauthorized Access/Disclosure,Paper InStep Foot Clinic, P.A.,MN,,”2,600″, 8/28/2011,Theft,”Laptop, Electronic Medical Record” Gail Gillespie and Associates, LLC,TX,,”2,334″,6/25/2011,Theft,”Laptop, Computer, Network Server” Capron Rescue Squad District,IL,, “815”,  2/5/2011,Unauthorized Access/Disclosure,Laptop Health Care Service Corporation,IL,, “501”,  6/28/2011,Theft,Paper Silverpop Systems, Inc. Health and Welfare Plan,GA,, “884”, 4/15/2011,Theft,Laptop Gene S. J. Liaw, MD. PS,WA,,”1,105″, 4/4/2011, Loss,Other Portable Electronic Device Update:  Found an explanation for the UCLA breach discussed in the Comments section.   Joseph Conn mentioned the discrepancy in an article: A Nov. 4 public notice on a breach reported by the UCLA Health System states that “some personal information on 16,288 patients” was stolen, but the wall of shame lists the “individuals affected” in the UCLA incident as 2,761. UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice “represents the number of individuals who had some information on the hard drive,” while the 2,761 figure sent to the OCR “represents the number of people that met the specific criteria” under the federal breach notification rule. Under the federal rule, Tate says, “the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm.” Information on the rest of the individuals, Tate said, did not meet the criteria. So it was the same incident.

Epsilon a Victim of Spear-Phishing Attack, Says Report (update/correction)

Jaikumar Vijayan follows up on the news story by iTnews, mentioned earlier today, which reported that the Epsilon attack was a spear-phishing attack that resulted in the downloading of malware. Jai makes a point of noting, however, that there’s no proof or confirmation yet from Epsilon that this was a spear-phishing attack. As I commented earlier today, although iTnews claimed that it was “revealing” the type of breach and I suspect Neil Schwartzman of CAUCE is quite correct in his opinion on this, there’s not yet any confirmation that this is what happened this time. Jai reports: It’s not clear whether anyone at Epsilon, or Silverpop saw the alert, or how they may have responded if they did. Neither email service provider responded to a Computerworld request for comment today. According to ITNews, the breaches at Silverpop and Epsilon in the weeks that followed were caused by spear these phishing attacks. Read more on CIO. Could Epsilon have known about this type of attack to proactively prevent it? Absolutely. Should they have known about it in November when it was reported by Return Path and Brian Krebs of Absolutely. Did they know back then? They haven’t said. What did they do if they did know back then? They haven’t said. And that’s why we need a Congressional or legal inquiry into this breach. And we need to get other ESPs under oath to answer the question of whether they, too, were breached back in November or more recently. Updated: As Neil Schwartzman noted in a comment under another blog entry, he didn’t claim that the Epsilon breach was due to this type of attack. According to Neil, “They used 4-month old quotes to draw a causal link. This could just as easily be copycats exploiting another vector. We simply don’t know.” iTnews got ahead of the story, it seems.