This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Epsilon confirms that no financial data was breached, as it admits that the potential loss of clients is its greatest risk

Share this article:

Epsilon has reconfirmed that no personal identifiable information was compromised in the recent breach of its database.

In a statement, its parent company Alliance Data Systems said that the unauthorised entry only saw email addresses and/or customer names taken and not social security numbers, credit card numbers or account information.

Ed Heffernan, chief executive officer of Alliance Data Systems, said: “We fully recognise the impact this has had on our clients and their customers and on behalf of the entire Alliance Data organisation, we sincerely apologise.

“While we can't reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets, their customers. Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber thieves with the greatest sense of urgency."

Epsilon confirmed that two per cent of its email clients' customer information had been exposed by an unauthorised entry into its email system. It said that since that discovery, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised. It is now working with Federal authorities and outside forensics experts to both investigate this matter and to ensure that any additional security safeguards needed will be promptly implemented.

Epsilon also confirmed that security protocols controlling access to the system have undergone a rigorous review and access has been further restricted as the ongoing investigation continues. It said that marketing campaigns were restarted as clients continued to receive further assurance regarding security.

“The company believes the greatest risk to Epsilon and Alliance Data is the potential loss of valued clients. Specifically, the company's number one priority over the near and long-term will be to ensure that Epsilon's clients regain complete trust in the company's operations. All efforts will be made to reach out to those affected clients and provide whatever assistance is needed to preserve their business over the long term,” it said in a statement. 

Bryan J. Kennedy, president of Epsilon, said: “We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information.

“We apologise for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers' confidence." 

Mary Landesman, market intelligence manager at Cisco, said: “Because email addresses were not considered of great value in the criminal underground, I suspect the attack on Epsilon began as something random. Hackers often scan the internet looking for machines that have a certain vulnerability or misconfiguration and then, once they hit upon something, look further to see if the victim interests them.

“At this stage we can only speculate that this is what happened; the attackers had found themselves on Epsilon's system, realised what they had and then worked to acquire their customer lists."

Garry Sidaway, director of security strategy at Integralis, said: “Email databases are still a major target for hackers because the risk to reward are great. Spear phishing still results in greater rewards when unsuspecting individuals who have received a personal email click on links and update not only their passwords, but also their credit card information.

“All businesses issue warnings and alerts stating that they will never ask for personal information via an email, but then they follow this up with an email campaign for the latest sales, inviting the person to ‘click' on a link. Most people like the convenience of this and simply click on the link and this is what the criminals are relying on. The user is bombarded with conflicting advice and then click on the links.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Researcher develops BadUSB code to compromise USB sticks - and their computer hosts

Researcher develops BadUSB code to compromise USB sticks ...

Karsten Nohl also reveals how an enhanced security approach can beat his USB architecture compromise.

Cybercrime threat landscape evolving rapidly

Cybercrime threat landscape evolving rapidly

New research claims to show that, whilst spam levels fell to a five-year low last month, the increasing complexity of cyber-criminal attacks shows no sign of easing, with increasing levels ...

Tor Project unearths attack that identifies users

Tor Project unearths attack that identifies users

Users of The Onion Router (TOR) network have been warned of an attack that could deanonymise them if they used the service from February to July this year.