Epsilon email address megaleak hands customers’ customers to spammers

In yet more data spill puts our customers’ customers at risk news, US direct marketing company Epsilon has been forced to admit that “an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”

Apparently, only names and email addresses were spilled, which is moderately comforting. What isn’t so comforting is the knock-on effect of this data breach.

Epsilon is, if you like, a “cloud provider” of electronic direct marketing services, so a security breach of the Epsilon system is, effectively, a breach of all its customers’ systems, too.

Indeed, Naked Security readers have already sent us a range of email alerts from organisations of which they’re customers, including Best Buy, McKinsey Quarterly, Beachbody, 1800Flowers.com, Marks & Spencer, Hilton, AbeBooks and Lacoste:

Other reports identify brands such as Walgreens, Fry’s, Marriott Rewards, Disney Destinations, TiVo, Kroger, Walmart and JP Morgan Chase as affected by this particular incident.

Sadly for Epsilon, this gives a whole new meaning to their own corporate tagline – Marketing as usual. Not a chance.

As we’ve noticed before, carelessness with email addresses isn’t a cardinal sin in the data leakage world – both TripAdvisor and Play.com have owned up recently to similar indiscretions, without any major loss of esteem.

However, losing your email address to scammers and spammers is likely to mean a surge in spam to your account.

Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely. That, in turn, can make their fraudulent correspondence seem more believable.

Outsourcing and the cloud are buzzwords of the 2010s – their many evangelists will assure you that cloud-sourcing your high-volume internet services is certain to save you money, improve your up-time, and boost your security. After all, if you leave a job such as direct marketing (or email, or office automation, or authentication) entirely to the specialists, you’re bound to have experts on the job who are at least as switched on about security as you are.


But sometimes, keeping your own skills and abilities factored in to your organisation’s security equation can pay off.

Bear in mind that a growing number of experts, including MySQL and Sun, RSA, Comodo and Facebook, have recently shown that they don’t know everything about security, after all.

Maybe they should be learning from you?

If you’d like to understand more about e-marketing security in particular, and cloud security in general, why not check out the resources below:

* Best practices top 10: Keep your e-marketing safe from threats

Protect your brand – read our report on how to avoid security vulnerabilities in your e-marketing strategy.

* A lesson in cloud computing and software as a service

Paul Ducklin, of Sophos in Sydney, defines cloud computing and SaaS, explains the associated security risks and gives his opinion on whether cloud and SaaS mean the end of desktop security software.

Duration 10:40 minutes, size 7.3MBytes

(Want to listen to the podcast offline? Download it and listen later.)