Permission email marketing outsourcer Epsilon has announced a data breach which may affect millions of individuals. In a single-paragraph statement, the company said the breach affects “a subset” of its customer data, but does not disclose the extent of the breach. The unauthorised entry into its email system gained access “only …
Would it be worth
emailing them to see if my data was on one of the breached list, could be an insight to how much my details have been whored out.
Paris because she loves getting whored out.
Sir and/or Madam
Names and email addresses, no big deal, right? Well, this is just about the best quality spam list you can snag, so /someone/ is going to make a pretty penny out of it selling it on.
But apart from that, it's a good reminder that just about any information you give to someone else may be used against you. This is a fundamental weakness in the concept of personally identifying (and therefore privacy sensitive) information. Privacy laws typically ask people nicely to care really well for other people's information, and not abuse it and so on. The best way to do it is to not have it. Because if you do have it in sufficient quantities you become a natural target for people looking to profitably abuse it.
This looks like a fertile green field to put some serious research into. What tools would you need to not need to keep all that sensitive data but still do your legitimate thing? Maybe spam lists aren't a good example but there are plenty of other things that today still need far more sensitive data than any responsible person ought to want to keep. How would we go about reducing that, eh? Proposals for solutions left as an excercise.
my bank sent me this email.
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
CollegeBoard.com to the list of sites using this crap.
Nice work, now they have the names and emails of basically all american teenagers wishing to go to college (taking the SATs etc.).
And yet another ...
A reader has e-mailed that AbeBooks is also an Epsilon customer.
@And yet another
I also had an e-mail from AbeBooks about this, but when I tried to log on to their site it didn't recognise my e-mail address!
Have yet to get any
No emails yet. Guess I dodged a bullet... or it could be calling in and requesting they "do not use my personal information for soliciting by third parties." If you request they don't, and it doesn't block their ability to give you their primary service, they're required to obey by US law.
Disney as well
I got an email from Disney with the same information as the U.S. Bank one.
Seems like it is pretty widespread.
Out of curiosity I decided to look them up. Their http servers are down - not even a ping.
Didn't I read that Kroger was hit last week?
That's some kind of coincidence. Or not.
I need to change my email address to init\ 0\;@bedrock.pit
Ameriprise & Barclays hit too
financial planning FAIL -- http://ameriprise.com
credit card FAIL -- http://BarclaycardUS.com
McKinsey also clobbered
Got my email from McKinsey Quarterly yesterday.
I had an e-mail over the weekend from a company explaining the situation as per some of the mails people have received. Interesting in a)it is not one of the companies named in the article or in this forum and b) the one company who is named that I know I would like to get a mail from has not bothered to send me anything and yet it is the one customer who does have valuable information about me (my hotel points!!!).
Wonder if they will get round to telling me or will they wait until I spot that my booking for three nights in the summer has been cancelled and instead I am now staying in Lagos.
Both the empty set and the complete set itself are valid subsets of any given set.
So without further specification, it is strictly true that every single day a subset of any data gets leaked.
I really wish this were auto-filled on replies...
Ooh, that is delightfully pedantic. Yes, delightfully.
Also, I'm told that some Amazon customers got e-mails about this, so apparently they are an Epsilon customer too. Although I didn't get one and I have an Amazon account, so I guess they didn't get everyone there.
Got me too
I got an email from McKinsey advising this as well. Kind of annoying because it's my work address which I really don't use for anything except work, until now it's been pretty spam free.
EA Games too?
Apparently EA Games is also a customer, which might explain why my EA-only email address started getting spammed last week. What's a bigger worry is that I changed my email address for a fresh one with also started getting spammed after a couple of days, so it wasn't just a single incident.
Is it expecting too much for anyone to realise that this is a good example of why it's bad to forward customer details to third parties...?
So if in any doubt that you may be sucked into this crap, create some new accounts and dump the old ones, then spend the next week or so making sure all those online accounts that you do need get updated with the new email addresses!
Fantastic! Well thank you very much Episilon! Do you dirtbags have any idea the amount of time and effort that will be incurred by the rest of us having to fix your complete security f**k-up? Nope I doubt it and I doubt you care either!
BestBuy RewardsZone in the US
See title. At least Tivo and BestBuy were nice enough to tell me.
Yeah, BestBuy RewardZone were quick off the mark here in Canada too. i got the email from them before the story broke here.
Haven't seen a noticeable increase in spam yet.......
And Robert Half Technologies
Chase also confirmed...
hase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.
We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase's practice to request personal information by e-mail.
As a reminder, we recommend that you:
Don't give your Chase OnlineSM User ID or password in e-mail.
Don't respond to e-mails that require you to enter personal information directly into the e-mail.
Don't respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
Don't reply to e-mails asking you to send personal information.
Don't use your e-mail address as a login ID or password.
The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on "Fraud Information" under the "How to Report Fraud." It provides additional information on exercising caution when reading e-mails that appear to be sent by us.
Patricia O. Baker
Senior Vice President
Chase Executive Office
Add Bank of America to the list of epsilon customers as well...
So far, I've gotten three copies of the email; two from to the financial institutions I deal with (including the aforementioned B of A) and one from a company whom I've enrolled in their rewards program.
I'm wondering if they'll trip my spam filter if anymore are sent...
Which underlines the risks..
..of posting naked-and-vulnerable Mailtos on webpages. In that case, no sophisticated exploit needed, just a spammer with relatively-simple harvesting robot to collect the addresses, and you're in exactly the same kind of trouble.
I always wonder
Would banks and financial institutions "die" if they didn't send a single damn mail to their customers?
They actually send mails so close to spam that any advanced anti spam system thinks it is spam no matter how verified the smtp host is.
If they didn't send mails, useless junk, there wouldn't be a problem like phishing anyway.
What really makes me wonder is, they are oldest customers of any IT technology and their mainframes sometimes run 30 years old code. It is not like they are computer newbies who doesn't get the security implications of offloading such info to third party company. No person in a bank knows how to setup a mailman system that feeds particular data from the database and send their own mail with a fully configured smtp server?
I can see it now....
Be on the lookout for the following:
My name is Mobuto Africa, Vice Presidint of Customer at Walt Disney. Do you love our famouse mouse the last time you visit us??
I wish to let you know that we Disney have many free rooms at Disney Resort in Orlondo, Florida. You have qwalified for our President-for-Life tour package because of the many time you have stayed with us in the past. This package earns you for 4 nights free stay in delucs President suite at Disney hotel Orlando. We also pay your complimentery breakfast and dinners to eat you.
All I ask for luxury tour is that you send me a small reservation fee of $250 via personal check , or enclose your credit card number, your name on card and the ID number on back of card. Once I receive your funds, we send your reservation confirmation number. You may send check or credit information to:
419 Wirefraud Street
Please include international postage and Social Security number to help route your letter.
Thanks for being Disney Customer!!
lets name the list of folks that sent me e-mails.
Bank of America
Who the hell does not use this clown outfit ?
Hilton Honours also affected, but apparently it's no big deal ....
Got an email from Hiltion HHonours at 8:45pm last night notifying me of the data breach - but apparently it doesn't matter as "The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails." ... well that's alright then, oh wait, no it's not!
Epsilo says: "The Email Marketing Improvement Audit from Epsilon’s Email & Digital Solutions team analyzes and evaluates your email marketing practices to help develop a clear course of action for improvement. The audit looks at the primary drivers of email marketing performance, program performance. It then provides recommendations on how to improve key measures."
the background questions are interesting
like why do any of these top tier companies need to farm out their "opt-in" spam to an external company? what's so difficult about running your own mail gateways and keeping your customer data secure - well, more secure anyway through the simple expedient of not shipping it off site en-masse ?
Hilton and P90X are also affected...
Both companies have been in touch about my email address having been leaked by this.
This security breach occured over 6 months ago
I know because I 1st advised Hilton of the problem on 27 Sep 2010 and a few times since. Emails, faxes, phonecalls. They have NEVER responded....
When I registered with Hilton Honors, I gave a unique email address. email@example.com
Instantly I know the source of the data security breach. Emailed links to 'filth', repeated very malicious invites to update my Skype & Acrobat....
Not following through on such matters in a timely fashion, sitting on the knowledge, should be made a major issue. Failure to advise in a timely fashion should make the leaker financially responsible for any loss before the warning is issued.
Still I can get my own back. Having changed my Hilton registered email address, I can easily redirect all mail sent to the original address to Hilton senior management... No longer my problem!
Just had a mail...
From Marks & Sparks! So it's not just customers of US companies having their details sold down the river....
Just had an email from Crucial.com
"On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.
We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon's email system."
- Stick a 4K in them: Super high-res TVs are DONE
- Review You didn't get the MeMO? Asus Pad 7 Android tab is ... not bad
- BEST BATTERY EVER: All lithium, all the time, plus a dash of carbon nano-stuff
- Bring back error correction, say Danish 'net boffins
- That GIANT ASTEROID that killed you? Just 'colossal bad luck', old DINOSAUR chap