back to article Email compromised at Epsilon

Permission email marketing outsourcer Epsilon has announced a data breach which may affect millions of individuals. In a single-paragraph statement, the company said the breach affects “a subset” of its customer data, but does not disclose the extent of the breach. The unauthorised entry into its email system gained access “ …

COMMENTS

This topic is closed for new posts.
  1. fn0rd
    Paris Hilton

    Would it be worth

    emailing them to see if my data was on one of the breached list, could be an insight to how much my details have been whored out.

    Paris because she loves getting whored out.

  2. Anonymous Coward
    Anonymous Coward

    Sir and/or Madam

    Names and email addresses, no big deal, right? Well, this is just about the best quality spam list you can snag, so /someone/ is going to make a pretty penny out of it selling it on.

    But apart from that, it's a good reminder that just about any information you give to someone else may be used against you. This is a fundamental weakness in the concept of personally identifying (and therefore privacy sensitive) information. Privacy laws typically ask people nicely to care really well for other people's information, and not abuse it and so on. The best way to do it is to not have it. Because if you do have it in sufficient quantities you become a natural target for people looking to profitably abuse it.

    This looks like a fertile green field to put some serious research into. What tools would you need to not need to keep all that sensitive data but still do your legitimate thing? Maybe spam lists aren't a good example but there are plenty of other things that today still need far more sensitive data than any responsible person ought to want to keep. How would we go about reducing that, eh? Proposals for solutions left as an excercise.

  3. Anonymous Coward
    Anonymous Coward

    nice email.

    my bank sent me this email.

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:

  4. da_fish27

    I'd add...

    CollegeBoard.com to the list of sites using this crap.

    Nice work, now they have the names and emails of basically all american teenagers wishing to go to college (taking the SATs etc.).

    1. Richard Chirgwin (Written by Reg staff)

      And yet another ...

      A reader has e-mailed that AbeBooks is also an Epsilon customer.

      1. Graham Marsden

        @And yet another

        I also had an e-mail from AbeBooks about this, but when I tried to log on to their site it didn't recognise my e-mail address!

    2. Ammaross Danan
      Coat

      Have yet to get any

      No emails yet. Guess I dodged a bullet... or it could be calling in and requesting they "do not use my personal information for soliciting by third parties." If you request they don't, and it doesn't block their ability to give you their primary service, they're required to obey by US law.

  5. Dave Phillips

    Disney as well

    I got an email from Disney with the same information as the U.S. Bank one.

    Seems like it is pretty widespread.

  6. Ole Juul

    Maintenance?

    Out of curiosity I decided to look them up. Their http servers are down - not even a ping.

  7. Flaco Dude
    Headmaster

    Ameriprise & Barclays hit too

    financial planning FAIL -- http://ameriprise.com

    credit card FAIL -- http://BarclaycardUS.com

  8. Anonymous Coward
    Anonymous Coward

    Didn't I read that Kroger was hit last week?

    That's some kind of coincidence. Or not.

    I need to change my email address to init\ 0\;@bedrock.pit

  9. Anonymous Coward
    Anonymous Coward

    McKinsey also clobbered

    Got my email from McKinsey Quarterly yesterday.

  10. Bluenose
    FAIL

    Interesting..

    I had an e-mail over the weekend from a company explaining the situation as per some of the mails people have received. Interesting in a)it is not one of the companies named in the article or in this forum and b) the one company who is named that I know I would like to get a mail from has not bothered to send me anything and yet it is the one customer who does have valuable information about me (my hotel points!!!).

    Wonder if they will get round to telling me or will they wait until I spot that my booking for three nights in the summer has been cancelled and instead I am now staying in Lagos.

  11. Marvin the Martian
    Headmaster

    Subset

    Both the empty set and the complete set itself are valid subsets of any given set.

    So without further specification, it is strictly true that every single day a subset of any data gets leaked.

    1. Ben 42
      Happy

      I really wish this were auto-filled on replies...

      Ooh, that is delightfully pedantic. Yes, delightfully.

      Also, I'm told that some Amazon customers got e-mails about this, so apparently they are an Epsilon customer too. Although I didn't get one and I have an Amazon account, so I guess they didn't get everyone there.

  12. dboy

    Got me too

    I got an email from McKinsey advising this as well. Kind of annoying because it's my work address which I really don't use for anything except work, until now it's been pretty spam free.

  13. Vometia

    EA Games too?

    Apparently EA Games is also a customer, which might explain why my EA-only email address started getting spammed last week. What's a bigger worry is that I changed my email address for a fresh one with also started getting spammed after a couple of days, so it wasn't just a single incident.

    Is it expecting too much for anyone to realise that this is a good example of why it's bad to forward customer details to third parties...?

  14. Anonymous Coward
    FAIL

    Oh goody!

    So if in any doubt that you may be sucked into this crap, create some new accounts and dump the old ones, then spend the next week or so making sure all those online accounts that you do need get updated with the new email addresses!

    Fantastic! Well thank you very much Episilon! Do you dirtbags have any idea the amount of time and effort that will be incurred by the rest of us having to fix your complete security f**k-up? Nope I doubt it and I doubt you care either!

  15. TheRealRoland
    Unhappy

    BestBuy RewardsZone in the US

    See title. At least Tivo and BestBuy were nice enough to tell me.

    1. 100113.1537

      Same here

      Yeah, BestBuy RewardZone were quick off the mark here in Canada too. i got the email from them before the story broke here.

      Haven't seen a noticeable increase in spam yet.......

  16. Muckminded
    IT Angle

    And Robert Half Technologies

    Yay.

  17. JaysonS
    Alert

    Chase also confirmed...

    hase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase's practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    Don't give your Chase OnlineSM User ID or password in e-mail.

    Don't respond to e-mails that require you to enter personal information directly into the e-mail.

    Don't respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.

    Don't reply to e-mails asking you to send personal information.

    Don't use your e-mail address as a login ID or password.

    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on "Fraud Information" under the "How to Report Fraud." It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office

  18. J. Cook Silver badge
    Joke

    Add Bank of America to the list of epsilon customers as well...

    So far, I've gotten three copies of the email; two from to the financial institutions I deal with (including the aforementioned B of A) and one from a company whom I've enrolled in their rewards program.

    I'm wondering if they'll trip my spam filter if anymore are sent...

  19. Anteaus
    Alert

    Which underlines the risks..

    ..of posting naked-and-vulnerable Mailtos on webpages. In that case, no sophisticated exploit needed, just a spammer with relatively-simple harvesting robot to collect the addresses, and you're in exactly the same kind of trouble.

  20. Ilgaz

    I always wonder

    Would banks and financial institutions "die" if they didn't send a single damn mail to their customers?

    They actually send mails so close to spam that any advanced anti spam system thinks it is spam no matter how verified the smtp host is.

    If they didn't send mails, useless junk, there wouldn't be a problem like phishing anyway.

    What really makes me wonder is, they are oldest customers of any IT technology and their mainframes sometimes run 30 years old code. It is not like they are computer newbies who doesn't get the security implications of offloading such info to third party company. No person in a bank knows how to setup a mailman system that feeds particular data from the database and send their own mail with a fully configured smtp server?

  21. Anonymous Coward
    Unhappy

    I can see it now....

    Be on the lookout for the following:

    Dear Madam:

    My name is Mobuto Africa, Vice Presidint of Customer at Walt Disney. Do you love our famouse mouse the last time you visit us??

    I wish to let you know that we Disney have many free rooms at Disney Resort in Orlondo, Florida. You have qwalified for our President-for-Life tour package because of the many time you have stayed with us in the past. This package earns you for 4 nights free stay in delucs President suite at Disney hotel Orlando. We also pay your complimentery breakfast and dinners to eat you.

    All I ask for luxury tour is that you send me a small reservation fee of $250 via personal check , or enclose your credit card number, your name on card and the ID number on back of card. Once I receive your funds, we send your reservation confirmation number. You may send check or credit information to:

    Disney Customer

    419 Wirefraud Street

    Lagos, Nigeria

    Please include international postage and Social Security number to help route your letter.

    Thanks for being Disney Customer!!

    Mobuto Africa

    Vice-President, Customer

  22. kain preacher

    Damn it

    lets name the list of folks that sent me e-mails.

    Bank of America

    Target

    Robert Half

    Us Bank

    Who the hell does not use this clown outfit ?

  23. pjmsupport
    Paris Hilton

    Hilton Honours also affected, but apparently it's no big deal ....

    Got an email from Hiltion HHonours at 8:45pm last night notifying me of the data breach - but apparently it doesn't matter as "The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails." ... well that's alright then, oh wait, no it's not!

  24. Yes Me Silver badge
    FAIL

    Yeah, right

    Epsilo says: "The Email Marketing Improvement Audit from Epsilon’s Email & Digital Solutions team analyzes and evaluates your email marketing practices to help develop a clear course of action for improvement. The audit looks at the primary drivers of email marketing performance, program performance. It then provides recommendations on how to improve key measures."

    Yeah, right.

  25. Peter Galbavy
    FAIL

    the background questions are interesting

    like why do any of these top tier companies need to farm out their "opt-in" spam to an external company? what's so difficult about running your own mail gateways and keeping your customer data secure - well, more secure anyway through the simple expedient of not shipping it off site en-masse ?

  26. Anonymous Coward
    Anonymous Coward

    Hilton and P90X are also affected...

    Both companies have been in touch about my email address having been leaked by this.

  27. Rahosi
    Grenade

    This security breach occured over 6 months ago

    I know because I 1st advised Hilton of the problem on 27 Sep 2010 and a few times since. Emails, faxes, phonecalls. They have NEVER responded....

    When I registered with Hilton Honors, I gave a unique email address. hh@mydomain.co.uk

    Instantly I know the source of the data security breach. Emailed links to 'filth', repeated very malicious invites to update my Skype & Acrobat....

    Not following through on such matters in a timely fashion, sitting on the knowledge, should be made a major issue. Failure to advise in a timely fashion should make the leaker financially responsible for any loss before the warning is issued.

    Still I can get my own back. Having changed my Hilton registered email address, I can easily redirect all mail sent to the original address to Hilton senior management... No longer my problem!

  28. Kevin Fairhurst
    FAIL

    Just had a mail...

    From Marks & Sparks! So it's not just customers of US companies having their details sold down the river....

  29. Tim Boothby

    Just had an email from Crucial.com

    "On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.

    We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon's email system."

This topic is closed for new posts.