Massive Data Breach at Epsilon: How Many Times Was Your Email Address Taken?

Millions likely affected, some multiple times

4 min read

Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management.

Massive Data Breach at Epsilon: How Many Times Was Your Email Address Taken?

While bank robber Willie Sutton denied he ever said that he robbed banks "because that's where the money is," hackers have apparently decided that it is still a good principle to follow, regardless.

Late last week, there were news reports that the largest US marketing services firm, Epsilon, a unit of Alliance Data Systems Corp, had announced that it had been hacked on Wednesday. Epsilon's press release was only four sentences long, and merely stated that:

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

Reports surfaced on Friday stating that the names and email addresses of JP Morgan Chase bank customers had been accessed in the attack. A typical story was like this one at CNBC News that reported the data breach and that Epsilon declined to say which of its other 2,500 customers had been also been affected.

Then other stories soon started appearing saying that not only had JP Morgan Chase customers' names and emails had been exposed, but that those of customers of the largest US grocery retailer, Kroger, too.

Then US Bank and VISA said they had been affected by the data breach, as had customers of TiVo.

But by yesterday, stories were coming out fast and furious that saw the list grow to include (so far), the financial planning company Ameriprise Financial, electronic retailer Best Buy, retailer Brookstone, credit card company Capital One Financial Corp, the bank Citigroup, the College Board, Disney, teleshopping company HSN, retailer L.L. Bean,  the hotel chain Marriott International (Marriott Rewards), consultants McKinsey & Co., apparel chain New York & Co. the hotel chain Ritz-Carlton, and the drugstore chain Walgreens.

Reuters, in this story about the breach, says that Epsilon "sends more than 40 billion e-mail ads and offers annually, usually to people who register for a company's web site or who give their e-mail addresses while shopping."

A typical email about the breach goes like this from Citigroup, which I received today:

"Recently, Citi was notified of a system breach at Epsilon, a third-party vendor that provides marketing services to a number of companies, including Citi. The information obtained was limited to the customer name and email address of some credit card customers. No account information or other information was compromised and therefore there is no reason to re-issue a new card."

The email goes on to explain, however, that given the breach, expect phishing emails, and how not to be hooked.

This is second large mass marketer that has been successfully targeted recently. Silverpop was hit late last year, and apparently again last month.

Looking at the list above, I see that my email address was potentially compromised an even dozen times so far (although I have received only two confirmations of that risk, however), so I am bracing for an avalanche of phish/spam to hit my in-box. As much as I hate doing so, changing my email address is what I will likely do if that indeed transpires.

Out of curiosity, how many times does your name appear on the list of companies above?

Update: 05 April 2011

Various news outlets have identified more companies that have had their customers' emails taken, including: AbebooksBarclays Bank, Ethan Allen, Hilton Hotels, Lacoste, Robert Half Technologies, Target, and Walmart.

Epsilon says about 2% of its 2500 clients were hit by the hack, which means around 50 companies in all. This also means that there are another 35 to 40 companies who have been affected but have not yet disclosed that fact. I suspect that this lack of disclosure will increasingly become an issue in the next few days.

CBS News is also reporting that the US Secret Service is investigating the data breach, which is the reason Epsilon is giving as to why it is keeping mum on the subject.

I am now up to three notifications that my email was likely swiped, and I expect more soon. 

Update: 07 April 2011  

Yesterday, Epsilon's parent company, Alliance Data Systems Corporation, put out a statement reaffirming that:

"Since the discovery of the unauthorized entry, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised."

Furthermore, in the statement, Bryan J. Kennedy, president of Epsilon states that:

"We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information. We apologize for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers' confidence."

The total number of companies publicly admitting their customers' emails were taken now look to number in their mid-50's, including companies in Australia (Dell Australia) and the UK (Marks & Spencer). The most complete list I have seen is over at As noted there, it appears that at least one former client of Epsilon had its customers email list taken too, which raises a question of why that client's customer data wasn't wiped clean when the relationship ended?

The Better Business Bureau has sent out a press release claiming information from the breach has already been used in phishing attempts but I am more than a bit doubtful. I have received phish purporting to be from some of the companies involved in this data breach previously - including some that I do not do business with like Chase Bank which the BBB cited - so how can the BBB tell that a phish is from the data breach? Sounds like a dubious PR move to me.

Several US state attorney generals, including that of Iowa, Virginia and Rhode Island have warned their citizens to be careful about phishing attempts based on the breach, while others are seeking more information from Epsilon on exactly what happened and why. The Australian Privacy Commissioner plans an investigation as well.

So even though Epsilon has remained tight lipped on what actually happened, I expect the full story will be disclosed in the not too distant future.

In the Alliance Data Systems statement referenced above, the company states that it:

"... expects this incident to have minimal if any impact on Alliance Data's financial performance, guidance or overall positive outlook over the foreseeable future."

Given that the story has moved into the political arena, I wouldn't be so confident.

I am up to four notifications of having my email compromised now because of the breach.

The Conversation (0)