Although Epsilon didn't name clients, it handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again.
Epsilon is one of the world's largest providers of marketing-email services. Epsilon issued a statement, "On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."
The scope of major corporations affected is somewhat mind-boggling. Krebs on Security warned, "Among Epsilon's clients are three of the top ten U.S. banks - JP Morgan Chase, Citibank and U.S. Bank - as well as Barclays Bank and Capital One."
After searching through the many articles covering the Epsilon hack, these are the companies that have sent out warnings to their customers:
Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, Ameriprise Financial, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books, Lacoste.
TechEye reported that the largest traditional grocery retailer Kroger, "employs more than 338,000 associates with stores in 31 states under two dozen local banner names including Kroger, City Market, Dillons, Jay C, Food 4 Less, Fred Meyer, Fry's, King Soopers, QFC, Ralphs and Smith's. Potentially anyone who has given their email to any of these places could have had their data half inched."
PCWorld noted, "In some cases, more than just e-mail addresses and names were disclosed -- both Marriott Rewards and Ritz-Carlton Rewards had member rewards points disclosed, along with names and e-mail addresses. This could give scammers more leverage when they attempt a targeted campaign."
That doesn't exactly match up with Epsilon's statement of only names and email addresses, does it? What more I wonder will be disclosed in the next week or so?
According to Paul Ducklin of Sophos Naked Security, it is "moderately comforting" that only names and email addresses were stolen. "Epsilon is, if you like, a 'cloud provider' of electronic direct marketing services, so a security breach of the Epsilon system is, effectively, a breach of all its customers' systems, too."
Personally, I find the Epsilon hack moderately aggravating as there will be countless people duped by phishing attacks.
Reuters claimed "it could be one of the biggest such data breaches in US history". Indeed, it certainly appears to be one of the largest heists of its kind.
Sign up for Computerworld eNewsletters.