Epsilon has reconfirmed that no personal identifiable information was compromised in the recent breach of its database.
In a statement, its parent company Alliance Data Systems said that the unauthorised entry only saw email addresses and/or customer names taken and not social security numbers, credit card numbers or account information.
Ed Heffernan, chief executive officer of Alliance Data Systems, said: “We fully recognise the impact this has had on our clients and their customers and on behalf of the entire Alliance Data organisation, we sincerely apologise.
“While we can't reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets, their customers. Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber thieves with the greatest sense of urgency."
Epsilon confirmed that two per cent of its email clients' customer information had been exposed by an unauthorised entry into its email system. It said that since that discovery, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised. It is now working with Federal authorities and outside forensics experts to both investigate this matter and to ensure that any additional security safeguards needed will be promptly implemented.
Epsilon also confirmed that security protocols controlling access to the system have undergone a rigorous review and access has been further restricted as the ongoing investigation continues. It said that marketing campaigns were restarted as clients continued to receive further assurance regarding security.
“The company believes the greatest risk to Epsilon and Alliance Data is the potential loss of valued clients. Specifically, the company's number one priority over the near and long-term will be to ensure that Epsilon's clients regain complete trust in the company's operations. All efforts will be made to reach out to those affected clients and provide whatever assistance is needed to preserve their business over the long term,” it said in a statement.
Bryan J. Kennedy, president of Epsilon, said: “We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information.
“We apologise for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers' confidence."
Mary Landesman, market intelligence manager at Cisco, said: “Because email addresses were not considered of great value in the criminal underground, I suspect the attack on Epsilon began as something random. Hackers often scan the internet looking for machines that have a certain vulnerability or misconfiguration and then, once they hit upon something, look further to see if the victim interests them.
“At this stage we can only speculate that this is what happened; the attackers had found themselves on Epsilon's system, realised what they had and then worked to acquire their customer lists."
Garry Sidaway, director of security strategy at Integralis, said: “Email databases are still a major target for hackers because the risk to reward are great. Spear phishing still results in greater rewards when unsuspecting individuals who have received a personal email click on links and update not only their passwords, but also their credit card information.
“All businesses issue warnings and alerts stating that they will never ask for personal information via an email, but then they follow this up with an email campaign for the latest sales, inviting the person to ‘click' on a link. Most people like the convenience of this and simply click on the link and this is what the criminals are relying on. The user is bombarded with conflicting advice and then click on the links.”