'Massive' Epsilon E-Mail Breach Hits Citi, Chase, Many More
The breach was first noted on March 31, when Epsilon, a marketing firm whose services include permission-based e-mail marketing and database hosting, began notifying its customers of potential data exposure thanks to an unauthorized entry into Epsilon's e-mail system. According to Epsilon, the information compromised was "limited to e-mail addresses and/or customer names only," and "no other personal identifiable information associated with those names was at risk."
One of Epsilon's clients, grocery chain The Kroger Co., subsequently notified its customers that the database had been breached, and urged its customers to be wary of e-mail from senders they did not know. Later, it was revealed that JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, Walgreens, The College Board, and the Home Shopping Network (HSN) have joined the ranks.
SecurityWeek notes that while the information harvested may seem like a "minor threat" -- after all, it's just e-mail addresses -- targeted phishing messages to these customers are likely to yield a higher "hit rate" than a blind spamming campaign. In other words, people are much more likely to click on an e-mail (or link within an e-mail) that addresses them by name and purports to be from Citi Bank (especially when Citi Bank is the bank they use) then they are to click on an e-mail that addresses them as "Big Guy" and purports to be from a male "growth" company.
In some cases, more than just e-mail addresses and names were disclosed -- Ritz-Carlton Rewards had member rewards points disclosed, along with names and e-mail addresses. This could give scammers more leverage when they attempt a targeted campaign.
Epsilon has the world's largest e-mail marketing service; it sends more than 40 billion e-mails a year and manages customer databases from 2500 clients. Other Epsilon clients (who have not yet been named in the e-mail breach) include Best Buy, TIAA-CREF, and Staples.
If you subscribe to e-mail marketing from any of these brands, never fear -- you're in no danger as long as you keep an eye out for e-mail from senders you don't know, and don't send any sensitive information (such as credit card or banking info) to "companies" via e-mail. It's also a good idea not to open any attachments unless you personally know who's sending you the e-mail and what the attachment is.