Epsilon Hack Exposes Customer Data from Best Buy, Others

Worldwide marketing service firm Epsilon revealed on Friday that its clients' customer data, which the company used in e-mail campaigns, have been breached.

Hackers accessed the data on March 30. The data includes the names and e-mail addresses of customers who have signed up for e-mail newsletters and other Web campaigns by Epsilon's clients. Best Buy, Walgreens, JPMorgan Chase, Marriot and TiVo are among the clients whose customer information has been compromised.

According to a brief Epsilon press statement, "[A]n incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's e-mail system. The information that was obtained was limited to e-mail addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

When the breach was first discovered, it was believed that the hackers responsible had gained access to customer information from The Kroger Co., the nation's largest grocery retailer. However, over the weekend, more companies in Epsilon's group of 2,500 clients reported similar breaches.

As of today, the list of companies where data have been compromised includes: TiVo, Kroger, US Bank, JPMorgan Chase, Capital One, Citi, Ameriprise Financial, Home Shopping Network, LL Bean Visa Card, Lactose, AbeBooks, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy and Robert Half Technologies.

In an e-mail to Best Buy Reward Zone members, Epsilon issued the following statement: "We have been assured by Epsilon that the only information that may have been obtained was [recipients'] e-mail address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk."

While the information obtained by the hackers was minimal, affected companies are still warning customers to keep an eye out for fraudulent or unsolicited e-mail. Citibank Tweeted, "Please be careful of phishing scams via e-mail."

Although the threat level associated with e-mail scams are low, due to the lists coming from specific companies and specific brands, phishers can use that information to send out a more personalized campaign.

"We all know that our e-mail addresses are out there because we all get way too much spam, so you might ask what the big deal is," wrote Randy Adams, director of technical education at security software company ESET, in a blog post. "Here's the deal. If a criminal has your name, e-mail address, and knows that you use that e-mail address for your banking or shopping, they now know how to target phishing attacks."

Adams reminds readers that customers subject to this recent security breach should take the same precautions as any information breach.

"If you get an e-mail with a link to a Web site that requires a log-on, do not log on," he wrote. "Always go to your vendor's Web site by typing in a known valid internet address."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.