Possible Customer Data Breach of PII data at Sirius XM

About a week and a half ago I began receiving some odd emails from an offshore domain hawking Ray Ban sunglasses. Many of you would not consider SPAM like this to be odd. I would normally feel the same way if the TO: address for email had been sent to a publicly available email address, but this destination email address was one uniquely provided to SiriusXM and only SirusXM for account use.

A couple of years ago I began "marking" all of my relationships with third parties with unique email addresses to better allow me to understand when my user information had been sold or compromised and the source of the compromised information. None of the email addresses actually exist as actual accounts, lists, aliases or forward records on email servers, the emails from these vendors are simply delivered to a default mailbox for a domain

unique email address for vendor@somedomain.com



sent to email server for domain



delivered to default email for the domain

When the email arrives at the default email account the FROM address is reconciled to the TO: address associated with the vendor provided email address and if a mismatch is present in the data then this sets off an alert. Such was the case here where the from domain hawking the Ray Ban Sunglasses and the Michael Kors handbags (lyvi.net) has no relationship with SiriusXM.

On Monday, April 28th I contacted SiriusXm customer support about this issue. I was informed during the call that under no circumstances would customer email addresses be shared with a third party for activities such as selling sunglasses or hand bags. This leaves only the possibility of a data breach in customer data. An email was also sent to listenercare@siriusxm.com detailing the data breach, including an attached copy of the third party email with all headers in tact to allow the SirusXM security team to trace the origin of the email and a reference to the open customer ticket.

>p>Once I ended the phone call I received an email confirmation of my call to SirusXM customer support. This provided an opportunity to compare the email headers of the legitimate customer services email from SiriusXM & a newly arrived marketing email from SirusXM with the suspect emails from the third party. None of mail RECEIVED BY relay addresses or host names matched between the legitimate SirusXM originated email and the SPAM email. All of the SPAM email was routed through offshore email servers and all of the legitimate SiriusXM email originated from email servers located within North America.

On Wednesday, April 30th I followed up with SirusXM customer support for a status on this suspect breach of customer PII data at 5pm EDT. No follow up information was present on the customer ticket number, #140428-056928. As a result of no movement on this issue I am placing this information in the public domain and asking for a follow up on my compromised customer data.

It is very clear given the nature of the unique email address provided to SiriusXM that my own personal account data stored only on SiriusXM computers has been compromised: That SiriusXM unique email address data is now in the hands of an unauthorized third party. I cannot speak to nature of the the data breach or how this impacts other account subscribers. I can only speak to the compromised nature of my own personal data. This data in the hands of an unauthorized third party concerns me and I am disturbed that after 48 hours no information was made available to update the customer ticket related to this data issue.

The Dragnet Synopsis

Who (scope) At least one person: Me. Scope is unknown outside of my own data.
What email PII from SiriusXM account in the hands of an unauthorized third party. SiriusXM customer support verbally confirmed that this information is not provided to third parties, leaving only one alternative
When Emails from third parties began arriving ~2 weeks ago
Where All third party suspect emails originate from the ylvi.net domain. No customer relationship exists between myself and ylvi and even if it did they would have a unique and distinct email from that provided to SirusXM
Why Hey, it's SPAM. Even if .000001% convert it feeds the beast
How There are three common scenarios (1) use of production data in unsecured test environments with third party contractors (2) inside job of someone stealing and selling the data or (3) an external hacker. The actual source of the breach in this case is unknown