Epsilon email address megaleak hands customers' customers to spammers

Filed Under: Data loss, Privacy, Spam

In yet more data spill puts our customers' customers at risk news, US direct marketing company Epsilon has been forced to admit that "an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system."

Apparently, only names and email addresses were spilled, which is moderately comforting. What isn't so comforting is the knock-on effect of this data breach.

Epsilon is, if you like, a "cloud provider" of electronic direct marketing services, so a security breach of the Epsilon system is, effectively, a breach of all its customers' systems, too.

Indeed, Naked Security readers have already sent us a range of email alerts from organisations of which they're customers, including Best Buy, McKinsey Quarterly, Beachbody, 1800Flowers.com, Marks & Spencer, Hilton, AbeBooks and Lacoste:

Other reports identify brands such as Walgreens, Fry's, Marriott Rewards, Disney Destinations, TiVo, Kroger, Walmart and JP Morgan Chase as affected by this particular incident.

Sadly for Epsilon, this gives a whole new meaning to their own corporate tagline - Marketing as usual. Not a chance.

As we've noticed before, carelessness with email addresses isn't a cardinal sin in the data leakage world - both TripAdvisor and Play.com have owned up recently to similar indiscretions, without any major loss of esteem.

However, losing your email address to scammers and spammers is likely to mean a surge in spam to your account.

Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely. That, in turn, can make their fraudulent correspondence seem more believable.

Outsourcing and the cloud are buzzwords of the 2010s - their many evangelists will assure you that cloud-sourcing your high-volume internet services is certain to save you money, improve your up-time, and boost your security. After all, if you leave a job such as direct marketing (or email, or office automation, or authentication) entirely to the specialists, you're bound to have experts on the job who are at least as switched on about security as you are.


But sometimes, keeping your own skills and abilities factored in to your organisation's security equation can pay off.

Bear in mind that a growing number of experts, including MySQL and Sun, RSA, Comodo and Facebook, have recently shown that they don't know everything about security, after all.

Maybe they should be learning from you?

If you'd like to understand more about e-marketing security in particular, and cloud security in general, why not check out the resources below:

* Best practices top 10: Keep your e-marketing safe from threats

Protect your brand – read our report on how to avoid security vulnerabilities in your e-marketing strategy.

* A lesson in cloud computing and software as a service

Paul Ducklin, of Sophos in Sydney, defines cloud computing and SaaS, explains the associated security risks and gives his opinion on whether cloud and SaaS mean the end of desktop security software.

Duration 10:40 minutes, size 7.3MBytes

(Want to listen to the podcast offline? Download it and listen later.)

, , , , , , , , ,

You might like

18 Responses to Epsilon email address megaleak hands customers' customers to spammers

  1. Jack · 1608 days ago

    One word: lawsuit

    • Paul Ducklin · 1608 days ago

      Hmmm. Not sure I like the idea of using lawyers to sort out data leakage and security problems.

      I guess you need them as a last resort. But we really need to do better than to need that last resort...

  2. Jay · 1608 days ago

    Add The College Board to the list....

  3. kiernan van doorn · 1608 days ago

    can you say epic fail..

  4. George · 1607 days ago

    From the moment I heard the term cloud a few years ago I've had one equation in mind: (cloud services) != security. Why ? Because cloud services consolidate businesses into larger targets. Larger targets attrack more and better attackers. Simple as that.

  5. ezer · 1607 days ago

    Add Robert Half to the list as well....

    "Dear Valued Customer,

    Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

    We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

    Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

    As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@rhi.com.


    Robert Half Customer Care

    Robert Half Finance & Accounting
    Robert Half Management Resources
    Robert Half Legal
    Robert Half Technology
    The Creative Group"

  6. MaryAnne Teal · 1607 days ago

    Add Brookstone and (a biggie) Disney, since their Disney Destinations list was also included in this incident...

  7. AlphaKat · 1607 days ago

    Customers of American Express were also hit.

  8. Tom Cox · 1607 days ago

    And US Bank!

  9. Rochelle · 1607 days ago

    Also Kroger.

  10. kstones · 1607 days ago

    Interesting that on March 26, my bank called regarding fraudulent use of my credit card and today I receive an email from Best Buy that data was leaked.

  11. JimW · 1607 days ago

    Add Red Roof Inn to the growing list. Time these dipsticks came public with the names of all their customers.

  12. Chris · 1607 days ago

    After receiving several of these Epsilon warnings, I received this very strange e-mail too, which I think is a scam:

    After the last annual calculations of your fiscal activity we have
    determined that you are eligible to receive a tax refund of $182,50.
    Please submit the tax refund request and allow us 3-9 days in order to
    process it.

    A refund can be delayed for a variety of reasons.
    For example submitting invalid records or applying after the deadline.

    To access your tax refund, please click here

    Best Regards,
    Tax Refund Deparment
    Internal Revenue Service
    ?Copyright 2011, Internal Revenue Service U.S.A. All rights reserved.

  13. Mike P · 1607 days ago

    Also Hilton HHonors email addresses have been targetted! They have sent out a warning message - by email!

  14. Northscot · 1607 days ago

    Also Hilton Hotel - HiltonHonors customers:
    "Dear Customer:We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you?

    The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses.

    Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of "phishing" e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com. Sincerely, Senior Vice President, Customer Marketing Hilton Worldwide"

  15. Southmatt · 1606 days ago

    I've been e-mailed by 3 companies already: Best Buy, Kroger (Ralphs), and 1-800-Flowers. This is getting a little ridiculous!

  16. Girts · 1606 days ago

    my partner has just had an email (apparently) from Marks & Spencer's to say their customers email addresses were hit in this breach. Are M&S a client of Epsilon, or is this a scam within a scam?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog