Epsilon Data Breach Expands to Include Capital One, Disney, Others

The compromise of a system at online marketing company Epsilon Data Management that came to light last week and involves the email addresses and names of customers at companies such as Citibank, Kroger and Disney expanded over the weekend to include a slew of other companies. The attack does not appear to have compromised any customer financial data or other sensitive information.

EpsilonThe compromise of a system at online marketing company Epsilon Data Management that came to light last week and involves the email addresses and names of customers at companies such as Citibank, Kroger and Disney expanded over the weekend to include a slew of other companies. The attack does not appear to have compromised any customer financial data or other sensitive information.

Word of the attack on Epsilon began to filter out last week when a handful of companies began notifying their customers that their email addresses and perhaps their names were compromised. Then on Friday Epsilon posted a terse notice about the attack on its system.

“On March 30th, an incident was detected where a subset of Epsilon
clients’ customer data were exposed by an unauthorized entry into
Epsilon’s email system. The information that was obtained was limited to
email addresses and/or customer names only. A rigorous assessment
determined that no other personal identifiable information associated
with those names was at risk. A full investigation is currently
underway,” the statement said.

The first companies began notifying customers of the attack late last week, including Kroger and others. In the last couple of days more and more companies have sent out notifications as well, including some very large retailers, such as Walgreen’s and the credit card company Capital One.

One such letter, from Disney Destinations, warns customers that their information has been compromised and that they may end up seeing more spam as a result.

We have been informed by one of our email service providers, Epsilon, that
your email address was exposed by an unauthorized entry into that
provider’s computer system.  We regret that this
incident has occurred and any inconvenience this incident may cause you.  We
take your privacy very seriously, and we will continue to work diligently to
protect your personal information,” the statement says.
“We want to assure you that your email
address was the only personal information we have regarding you that was
compromised in this incident. As a result of this incident, it is
possible that you may receive spam email messages, emails that contain links
containing computer viruses or other types of computer malware, or emails
that seek to deceive you into providing personal or credit card
information. “

Other companies that have reported that their customers are affected by the Epsilon breach include Home Shopping Network, JP Morgan Chase and TiVo.

Epsilon is a major email marketing firm that sends messages to end users on behalf of its roster of corporate clients. The company claims to be the largest opt-in marketing company, sending 40 billion messages every year.

Suggested articles

Discussion

  • Anonymous on

    I notified JP Morgan Chase months ago - probably over a year - that I was repeatedly receiving emails with a logo similiar to theirs, saying my account was suspended unless I provided verification info, including my account number and PIN.  Of course, I never acted on it, but apparently, neither did they!  There's no reason this kind of breach should go unnoticed or ignored.  As far as I'm concerned, both Epsilon and Chase are responsible.  Chase drops the ball again!

  • Lou from NH on

    I have received message from 2 vendors that use Epsilon so far.  BUt it does make you wonder how long ago the breach happened.  I will be very diligent going forward 9as I always have been) to anything that looks suspicious.

  • Kurtisj on

    JP Morgan Chase sent this email to their customers:

    "Chase is letting our customers know that we have been informed by Epsilon a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you. "

  • anon on

    "The company claims to be the largest opt-in marketing company, sending 40 billion messages every year."

    Opt-in? As in the bank or other non-marketing institution includes a small section somewhere in the 20 pages of fine print that suggests they may share your personal data in some non-descript way according to law and suggests you snail mail a street address about it? What crap.

    They sure did share it, didn't they? Along with Disney, Citibank, Kroger, etc. Cheers to "de-regulation" suckers! 

  • Anonymous on

    I smell a class-action suit. Can't wait to get my check for 28 cents while watching the lawyers pocket millions.
  • anon on

    Add Hilton Honors to the list...

    "We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed..."

  • anon on

    Shop at Best Buy RewardZone? Them too:

    "On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization. "

  • Anonymous on

    Wow people, wake up.  Your email address/ name is not that sensitive. You are the one that gave your email address away. Ever signed up for online service? rewards program? contest? uh, Facebook?  

    Ever forward an email to anyone like a joke, chain letter, etc? Chances are, they sent that joke to their address book, who then forwarded it to their address book, so on and so forth.

    And yeah, These companies stipulate upfront what they are going to do with your email address. Try reading the disclosures.

    Ignorance of the law isn't a defense; ignorance of a contract doesn't excuse you from it or allow you to complain.

  • Anonymous on

    Add Tivo to that list.

  • Anonymous on

    The reward I got from Best Buy Reward Zone after their e-mail about the Epsilon breach was 2 phonecalls (untraceable) tellinfg me my computer a problem and that if I use Windows and had an internet connection he could fix it for me. I hung up both times so we never got to the personal stuff!  A few hours later my computer was invaded by MS Removal Tool and if I am willing to give my credit card info, etc they will clear it up. The ONLY organization who has this magic combo of phone number, name and e-mail address is Best Buy and I do not think  the timing on this is coincidental. I guess I'll have to take my laptop in to the Geek Squad at Best Buy to remove this invasion of my privacy.

  • Anonymous on

    I would like to see a law, or suit, or companies on the breach list, to require Epsilon or their replacement to develop secure plug-ins for each of the major mail applications on all the major platforms to allow the receiver of an email message to securely validate the message sender and provide the validation plug-in and Digital Certificates for each user who's information lost. 

    Having them each send me an email saying "we goofed up so be careful" is just not good enough!

    The list of companies involved should be powerful enough to do this if they work together. Otherwise we need a law or a lawsuit. 

  • Hongwen Zhang on

    Thanks for your post, and for helping to keep your readers informed about this breach. In order to defend against this type of attack, businesses can no longer rely on point solutions such as firewalls, IDS/IPS devices, or simple IP reputations. Solutions that can provide deep content inspection to detect embedded attacks across email and Web sessions should also be implemented. This breach also illustrates the importance of ensuring network layer Data Leakage Prevention (DLP) for service providers, in order to prevent the outflow of email addresses. Our company, Wedge Networks has focused on building such solutions for years, and is leading efforts to prevent the good things from flowing out, and bad things from flowing in.

  • heartlandhannah on

    I hope we see a class action lawsuit out there soon for this breach.  Frivilous "sorry for the inconvenience" emails are not enough for this serious breach of trust.

  • Anonymous on

    Where do we sign up for the lawsuit?  I want to know what our info was doing at Epsilon in the first place?  Don't see how Citi Bank can justify that Epsilon is an "affliate" of theirs.  Guess these privacy statements aren't worth the recycled paper they are written on.

  • Anonymous on

    Where do we sign up for the lawsuit?  I want to know what our info was doing at Epsilon in the first place?  Don't see how Citi Bank can justify that Epsilon is an "affliate" of theirs.  Guess these privacy statements aren't worth the recycled paper they are written on.

  • Anonymous on

    To make things worse that they may have your cell number too (if you get txt message alerts). The fraudsters have already called mine...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.