Epsilon Data Breach Expands to Include Capital One, Disney, Others

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:34:48


EpsilonThe compromise of a system at online marketing company Epsilon Data Management that came to light last week and involves the email addresses and names of customers at companies such as Citibank, Kroger and Disney expanded over the weekend to include a slew of other companies. The attack does not appear to have compromised any customer financial data or other sensitive information.

Word of the attack on Epsilon began to filter out last week when a handful of companies began notifying their customers that their email addresses and perhaps their names were compromised. Then on Friday Epsilon posted a terse notice about the attack on its system.

“On March 30th, an incident was detected where a subset of Epsilon
clients’ customer data were exposed by an unauthorized entry into
Epsilon’s email system. The information that was obtained was limited to
email addresses and/or customer names only. A rigorous assessment
determined that no other personal identifiable information associated
with those names was at risk. A full investigation is currently
underway,” the statement said.

The first companies began notifying customers of the attack late last week, including Kroger and others. In the last couple of days more and more companies have sent out notifications as well, including some very large retailers, such as Walgreen’s and the credit card company Capital One.

One such letter, from Disney Destinations, warns customers that their information has been compromised and that they may end up seeing more spam as a result.

“We have been informed by one of our email service providers, Epsilon, that
your email address was exposed by an unauthorized entry into that
provider’s computer system. We regret that this
incident has occurred and any inconvenience this incident may cause you. We
take your privacy very seriously, and we will continue to work diligently to
protect your personal information,” the statement says.
“We want to assure you that your email
address was the only personal information we have regarding you that was
compromised in this incident. As a result of this incident, it is
possible that you may receive spam email messages, emails that contain links
containing computer viruses or other types of computer malware, or emails
that seek to deceive you into providing personal or credit card
information. “

Other companies that have reported that their customers are affected by the Epsilon breach include Home Shopping Network, JP Morgan Chase and TiVo.

Epsilon is a major email marketing firm that sends messages to end users on behalf of its roster of corporate clients. The company claims to be the largest opt-in marketing company, sending 40 billion messages every year.