Epsilon Data Breach Hits Banks, Retail Giants

Epsilon, a large email marketing services company with a roster of A-list clients, reported a data breach that is impacting practically anyone who has ever signed up to receive a retail offer or alert through its email account. The company warned that thieves may use the information to launch a phishing campaign to trick users into disclosing more critical data.

On March 30, Epsilon detected "an unauthorized entry" into its email system. During this time, a subset of clients' customer data was exposed. Epsilon only has the information of people who opted-in to receive marketing emails, and the theft was limited to email addresses and customer names, according to the company.

"A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway," Epsilon said in a terse statement on April 1.

No industry segment appears to have been spared. Epsilon has been updating its list of affected companies as it continues its investigation into the breach. As of April 3, the list included financial services institutions such as Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware. However, the only Barclays Bank of Delaware customers affected were the ones who have an LL Bean Visa card.

In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

McKinsey, The College Board and Disney Destinations were also part of the confirmed list.

"Please be careful of phishing scams via email. Statement from Citi for our valued Customers regarding Epsilon & email," financial giant Citi warned its customers in a post on Twitter.

As breaches go, the amount of information exposed is very limited. TiVo assured customers in an email to its customers that their "service and other personally identifiable information" were not at risk. Marriott Rewards customers received similar reassurances, as only email addresses were stolen, and passwords, credit card information, member addresses and point balances remained safe. Other affected clients sent out similar messages over the weekend, and more are expected as Epsilon continues its investigation.

"Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses," used books retailer AbeBooks wrote in a message to customers on April 3.

Even so, customers should "exercise extreme caution," as email addresses are all cyber-criminals need to initiate a phishing attack. Users can expect to see more spam, and should be vigilant about email offers that ask for personal information or have links to other sites that ask for personal information.

Many of these phishing attacks tend to take the form of security alerts—informing users that their accounts have been compromised and they should verify their log-in credentials to reset their accounts—or direct marketing scams promising special deals that require a credit card number.

Citi reminded users that all legitimate messages from the bank use "an Email Security Zone" to authenticate the messages. "Customers should check the Email Security Zone to verify that email they have received is from Citi and reduce the risk of personal information being phished," according Citi.

There have been at least three major incidents involving stolen email lists in recent months. TripAdvisor informed users of a breach affecting their email addresses on March 24, and Play.com said March 27 it was affected by the Silverpop data breach announced in December. The Silverpop incident affected only a subset of its clients, which included McDonald's, American Honda Motor and DevianART.

As the world's largest permission-based email marketing services, Epsilon has more than 2,500 clients and sends more than 40 billion emails annually. The Dallas-based subsidiary of Alliance Data Systems works with some of the biggest brand names across all industries. The company manages the customer email database and communications for its clients.