The breach was first noted on March 31, when Epsilon, a marketing firm whose services include permission-based e-mail marketing and database hosting, began notifying its customers of potential data exposure thanks to an unauthorized entry into Epsilon’s e-mail system. According to Epsilon, the information compromised was “limited to e-mail addresses and/or customer names only,” and “no other personal identifiable information associated with those names was at risk.”
SecurityWeek notes that while the information harvested may seem like a “minor threat” — after all, it’s just e-mail addresses — targeted phishing messages to these customers are likely to yield a higher “hit rate” than a blind spamming campaign. In other words, people are much more likely to click on an e-mail (or link within an e-mail) that addresses them by name and purports to be from Citi Bank (especially when Citi Bank is the bank they use) then they are to click on an e-mail that addresses them as “Big Guy” and purports to be from a male “growth” company.
In some cases, more than just e-mail addresses and names were disclosed — Ritz-Carlton Rewards had member rewards points disclosed, along with names and e-mail addresses. This could give scammers more leverage when they attempt a targeted campaign.
Epsilon has the world’s largest e-mail marketing service; it sends more than 40 billion e-mails a year and manages customer databases from 2500 clients. Other Epsilon clients (who have not yet been named in the e-mail breach) include Best Buy, TIAA-CREF, and Staples.
If you subscribe to e-mail marketing from any of these brands, never fear — you’re in no danger as long as you keep an eye out for e-mail from senders you don’t know, and don’t send any sensitive information (such as credit card or banking info) to “companies” via e-mail. It’s also a good idea not to open any attachments unless you personally know who’s sending you the e-mail and what the attachment is.