Breach at email marketing company Epsilon could affect millions of American shoppers

US email marketing company Epsilon has said that a full investigation is currently underway into an unauthorised entry into its email system.

The company issued a statement on Friday 1st April saying that on 30th March, an incident was detected where a subset of its clients' customer data was exposed by an unauthorised entry into the Epsilon's email system.

“The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk,” it said. It later confirmed that two per cent of its total client base, for which Epsilon provides email services, had been affected.

Epsilon has more than 150 clients including American Express, Walgreens, Capital One, JP Morgan and Borders, and sent out more than 7.4 billion email adverts and offers in the final quarter of 2010.

According to security blogger Brian Krebs, more than two dozen brands have alerted customers to the data loss and it was not clear how many more disclosures are still to come.

In an email to Krebs, Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said that he had received notices from two of the companies impacted by the breach and that neither company mentioned the source of the problem.

“Customers who specifically asked to opt out of marketing emails were also affected.  Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out,” he said.

“Reminiscent of credit card companies' reporting of merchant breaches, they do not say who lost the data. Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”

In a statement, Marriott commented on the Epsilon breach. It said: “Marriott International has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We take the security of information in our possession and control very seriously.

“Tampering with systems by an unauthorised person or persons is of course an illegal act and the incident was reported to a law enforcement agency which is currently investigating this matter.

“The unauthorised person(s) had access to names and email addresses only.  They did not have access to sensitive customer information, such as physical addresses, point balances, account logins and passwords, credit card information or other personal data.”

Chris Jenkins, security line of business manager, Dimension Data UK, said: "The Epsilon data breach serves as a timely reminder of a truism that is relevant to all business process outsourcing where data is involved: you can't outsource risk. In other words, as with the Epsilon case, if the third-party that manages your data is hacked or loses data some other way, it's not just their reputation that is damaged, it's yours too.”

Nigel Hawthorn, VP marketing EMEA at Blue Coat, said: “Security is always high on the agenda of most companies, but the reality is that major security breaches are becoming an almost daily occurrence. Organisations should ensure they regularly review their security processes and notify customers should their personal information be compromised. Perhaps it's time that we review issues such as accountability and disclosure and ensure that information security is not ignored?”

Frank Coggrave, general manager EMEA at Guidance Software, said: “The recent email data breach attack on Epsilon is just one in a series of recent high profile data breaches, once again highlighting that no one is safe from these increasingly sophisticated and more targeted attacks.

“Since attacks consistently break through the toughest of security systems, organisations need to focus on deploying incident response plans to mitigate the effects. This effectively enables organisations to find out where the attacks have come from and determine the full extent of the attack, in turn improving checks and processes to ensure the threat is not re-introduced.”

Jeff Hudson, CEO of Venafi, said: “The fall-out from this database hack calls into question the increasingly popular trend towards outsourcing customer data to third party and specialist marketing firms, since this incident will probably trigger a rash of consequential data privacy amendments to the contracts of these firms.

“This will almost certainly result in more complex service level agreements for these types of services. This case, though relatively simple on the face of it, could have profound repercussions for the marketing industry and the security of client information.”

Terry Greer-King, UK managing director at Check Point, said: “Although only names and email addresses have been exposed in this case, it is likely to lead to a spate of phishing campaigns targeting those people whose details have leaked. So as usual, people need to be wary of emails asking for financial details or passwords, no matter how legitimate they appear to be.

“It highlights the fact that all personal details need to be encrypted by the companies that hold them, to avoid the risks of losses and leaks and to avoid the potential costs of data disclosure penalties.”

Sign up to our newsletters