In yet more data spill puts our customers’ customers at risk news, US direct marketing company Epsilon has been forced to admit that “an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”
Apparently, only names and email addresses were spilled, which is moderately comforting. What isn’t so comforting is the knock-on effect of this data breach.
Epsilon is, if you like, a “cloud provider” of electronic direct marketing services, so a security breach of the Epsilon system is, effectively, a breach of all its customers’ systems, too.
Indeed, Naked Security readers have already sent us a range of email alerts from organisations of which they’re customers, including Best Buy, McKinsey Quarterly, Beachbody, 1800Flowers.com, Marks & Spencer, Hilton, AbeBooks and Lacoste:
Other reports identify brands such as Walgreens, Fry’s, Marriott Rewards, Disney Destinations, TiVo, Kroger, Walmart and JP Morgan Chase as affected by this particular incident.
Sadly for Epsilon, this gives a whole new meaning to their own corporate tagline – Marketing as usual. Not a chance.
As we’ve noticed before, carelessness with email addresses isn’t a cardinal sin in the data leakage world – both TripAdvisor and Play.com have owned up recently to similar indiscretions, without any major loss of esteem.
However, losing your email address to scammers and spammers is likely to mean a surge in spam to your account.
Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely. That, in turn, can make their fraudulent correspondence seem more believable.
Outsourcing and the cloud are buzzwords of the 2010s – their many evangelists will assure you that cloud-sourcing your high-volume internet services is certain to save you money, improve your up-time, and boost your security. After all, if you leave a job such as direct marketing (or email, or office automation, or authentication) entirely to the specialists, you’re bound to have experts on the job who are at least as switched on about security as you are.
But sometimes, keeping your own skills and abilities factored in to your organisation’s security equation can pay off.
Bear in mind that a growing number of experts, including MySQL and Sun, RSA, Comodo and Facebook, have recently shown that they don’t know everything about security, after all.
Maybe they should be learning from you?
If you’d like to understand more about e-marketing security in particular, and cloud security in general, why not check out the resources below:
* Best practices top 10: Keep your e-marketing safe from threats
Protect your brand – read our report on how to avoid security vulnerabilities in your e-marketing strategy.
* A lesson in cloud computing and software as a service
Paul Ducklin, of Sophos in Sydney, defines cloud computing and SaaS, explains the associated security risks and gives his opinion on whether cloud and SaaS mean the end of desktop security software.
Duration 10:40 minutes, size 7.3MBytes
(Want to listen to the podcast offline? Download it and listen later.)
18 comments on “Epsilon email address megaleak hands customers’ customers to spammers”
One word: lawsuit
Hmmm. Not sure I like the idea of using lawyers to sort out data leakage and security problems.
I guess you need them as a last resort. But we really need to do better than to need that last resort…
Add The College Board to the list….
can you say epic fail..
From the moment I heard the term cloud a few years ago I've had one equation in mind: (cloud services) != security. Why ? Because cloud services consolidate businesses into larger targets. Larger targets attrack more and better attackers. Simple as that.
Add Robert Half to the list as well….
"Dear Valued Customer,
Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.
We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.
As always, if you have any questions, or need any additional information, please do not hesitate to contact us at firstname.lastname@example.org.
Robert Half Customer Care
Robert Half Finance & Accounting
Robert Half Management Resources
Robert Half Legal
Robert Half Technology
The Creative Group"
Add Brookstone and (a biggie) Disney, since their Disney Destinations list was also included in this incident…
Customers of American Express were also hit.
And US Bank!
Interesting that on March 26, my bank called regarding fraudulent use of my credit card and today I receive an email from Best Buy that data was leaked.
Add Red Roof Inn to the growing list. Time these dipsticks came public with the names of all their customers.
After receiving several of these Epsilon warnings, I received this very strange e-mail too, which I think is a scam:
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $182,50.
Please submit the tax refund request and allow us 3-9 days in order to
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.
To access your tax refund, please click here
Tax Refund Deparment
Internal Revenue Service
?Copyright 2011, Internal Revenue Service U.S.A. All rights reserved.
Also Hilton HHonors email addresses have been targetted! They have sent out a warning message – by email!
Also Hilton Hotel – HiltonHonors customers:
"Dear Customer:We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you?
The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses.
Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of "phishing" e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at email@example.com. Sincerely, Senior Vice President, Customer Marketing Hilton Worldwide"
I've been e-mailed by 3 companies already: Best Buy, Kroger (Ralphs), and 1-800-Flowers. This is getting a little ridiculous!
my partner has just had an email (apparently) from Marks & Spencer's to say their customers email addresses were hit in this breach. Are M&S a client of Epsilon, or is this a scam within a scam?