Skip to comments.Massive Breach at Epsilon Compromises Customer Lists of Major Brands
Posted on 04/02/2011 8:46:19 PM PDT by brytlea
Due to the growing list of brands disclosing that they have been compromised as a result of this breach, Im going to go ahead and tag this as a massive breach. And I only expect it to get bigger as more announcements come out from Epsilon customers.
Last night we reported on a breach at marketing services provider, Epsilon, the worlds largest permission-based email marketing provider. Initially we wrote that the breach had affected Kroger, the nation's largest traditional grocery retailer. There is a list of companies at the link (but I don't know if that is going to be the full list, it sounds like there may be more yet).
It turns out that Kroger is only one of many customers affected by the breach at Epsilon.
(Excerpt) Read more at securityweek.com ...
You would think that an outfit this big — and supposedly professional — would have encrypted this data. Apparently not.
We just received a message from the College Board (the folks who run the Advanced Placement exams and the SATs) stating, “We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.”
Yeah, sounds basically like what I received from TiVo. Whoever did this apparently now has a LOT of email addresses with names. :(
This is one reason I have stopped giving my email address to almost anyone, if I don’t have to. Seems that every store I buy something in nowadays wants my email address and I just say, “No thank you.” They always seem surprised. Next time I’ll just mention this fiasco.
Thank you. This is the unpteenth time this has happened in the past year or so, but this sounds like one of the biggest.
I wonder if they EVER catch these creeps?
I got an e-mail from the college board.
Thank you for posting. I received an email tonight from collegeboard.com about the epsilon breach, that my first and last name and email were fraudulently accessed. This is why I come to freerepublic when I want breaking news.
Got the same email here
I just hope names and emails were really all they got.
Thanks! I have online accounts at some on the list.
Just another reminder to look at the email, then open the site from *FAVORITES* (or even Google it) instead of using the links in the email.
Not that I don’t get sloppy now & then when there’s a good sale at an e-merchant I regularly do business with.
Got an email from US Bank yesterday - they were a target as well.
I don’t know. It doesn’t seem as though they catch these criminals very often.
This sort of thing points to the need for everyone to step up and take responsibility for their own online security. It’s clear that most companies have no intention of helping in any meaningful way.
I’ve gotten so paranoid anymore, but it only takes getting sloppy once. It just seems these creepy scoundrels are so pervasive anymore and I guess they are next to impossible to catch.
I agree, it doesn’t seem like they EVER catch them, and it doesn’t seem that there seems to be any desire on the part of the government (altho it may just be that it’s virtually impossible, I don’t know).
The problem is, you can be careful (I am, extremely so) but it seems the bad guys get smarter and better all the time. I don’t know how long we can stay a step ahead of them. I’m not a techie genius. At some point do we just throw in the towel and give up?
None of my banks have sent me anything. Yet.
Yeah, I know exactly what you mean.
I looked (in *Preview*) at an email from my auto insurer a couple of months back, and it looked EXACTLY like what I normally get from them, but didn’t seem ‘right’.
I finally noticed in the small print at the end that they had a letter in the acronym wrong. I deleted it without opening, then did a set of scans just to be safe.
I also web-based email accounts, and when something comes to them, no matter what or from whom, I right click on any links in the *PREVIEW*, and hit *PROPERTIES*, and that shows what the REAL address of the link is, no matter what it says it is. It doesn’t get opened if it’s got bad links.
Have to be careful, and check EACH link, because there are often a couple of real links to main site of the real company in th first part & very end, but the “money links” for the actual “offer” in the body of the message are the redirects.
I’ve googled some of them, and most are well know scam operations located mainly in China, Rumania, or Russia, where there is zero chance of doing anything about them.
Hrm, I just got an email from US Bank about this very subject.
At least, it claimed to be from US Bank....
I got one also tonite from HSN (Home Shopping Network). I have the feeling this is a rather wide ranging breach of security, with many businesses affected, and thus we are affected. Great. Mine said they are already increasing their security measures. Better late than never,
Ha! The Nigerians have no trouble finding me as it is!
Ditto. I received the same thing from US Bank this morning. I wonder how huge this breach will turn out to be?
Yeah, I wondered at first... is this really a big deal and then I wondered...did they get more info than just email addresses? I guess we get to just wait and wonder until a bunch of us find our whole IDs are stolen.
Strangely, some of the companies listed have NOT contacted me yet.
I know I’m going to keep a close eye on my bank account in the coming days.
Perhaps some companies aren’t sure what to tell their customers yet. This really creeps me out.
Good idea, and good point.
Indeed, banks and other financial institutions are required by law to be conservative and above-board with how they handle customer information given to marketing companies. The Federal Reserve and the SEC have recently issued joint guidelines on this very subject; the press release is at Federal Regulators Issue Final Model Privacy Notice Form, and the model customer privacy notification opt-in form is here.
Thank you for that info. And before this happened, I have to admit, I really didn’t know they did this.
Since a number of companies address you by name in official email as a way to distinguish their correspondence from spam and phishing attempts having names matched to emails could be a problem.
Yeah, I’m totally paranoid anymore anyway (had a couple of virii last year, never really figured out for sure how I got them because I thought I was careful—so I’m hyper careful now). But even so, it seems like the bag guys get better and smarter and more clever all the time. :( It’s why I refuse to do online billpay etc.
This is not an APPLE PING but just an alert ping about a major breach of security for email addresses... Just be aware that you may be at increased risk for phishing expedition due to this breach. Swordmaker
I got the same message from College Boards. That sure explains the incredible spike in spam for the last few days. Now the question is, how to get rid of it. With all these email addresses out there it will be very difficult to get rid of. I imagine Epsilon is bracing for the inevitable class action suit. Lawyers will make millions and each person who gets spammed will make a couple of bucks.
I got an email from Brookstone about this same thing. I removed myself from their mailing list quickly thereafter, but I suspect my inbox will be full of garbage in the coming weeks.
I got that same notice from Disney over the weekend.
Yeah, I think removing your name now is not going to do any good. Darnit.
Isn’t that almost as frustrating as the scummy spammers?
Add Hilton and Walgreens to the list...
I received over 100 new spam yesterday!!!!
Epsilon should pay!
What are your thoughts?
Interestingly, I haven’t received any spam, yet (altho I bet I will). I don’t know how Epsilon can pay, I’m not sure what they can do for us (we haven’t actually had a financial loss, so legally what can they do for us). An believe me, I’m angry. I suppose they can be made to go out of business, and some lawyers can be made rich, but even if the company were dissolved and all of their assets were divvied up among all of the people affected (or potentially affected) I wonder how much everyone would get (after even reasonable attorney fees)?
I save my real anger for the culprits who perpetuate these sorts of crimes and no one even seems to have an interest in even trying to figure out how to track them down and doing anything to them. On the other hand, I am not giving my email address out to ANYONE anymore unless it is absolutely necessary. In fact, I had stopped doing it about the last year anyway, even tho it’s a bit of a pain as every time you buy something in a store nowadays they ask. I will now tell them no and tell them it’s because of THIS.
We got emails from Charter cable and Chase bank that they got our email addresses.
Hopefully nothing comes of it...
Even the little online used book exchange ABE Books was hit.
Yes, I got one from them the other day. I had completely forgotten about them, I guess I must have ordered something from them, but I know it’s been a long time ago.
I got an email this morning about this from Scottrade.
I hope that Epsilon didn’t have any financial info. That’s my major concern.