December 11, 2016

Hacker Steals Thousands of Email Addresses in Epsilon Breach

Epsilon, the world’s largest permission-based email marketing provider who sends over 40 billion emails annually, has revealed that on March 30th, it detected a breach where email addresses and customer names, for around 50 of Epsilon’s clients, were accessed by a hacker.

Epsilon is assuring its clients (and their customers) that the information that was obtained was limited to email addresses and/or customer names only. However the breach does leave the customers of Epsilon’s clients (which include Best Buy, Capital One, Citi, JPMorgan Chase, US Bank, TiVo and Walgreens) susceptible to scammers and phishing attacks as the hacker will be able to send fake emails to registered users who are already expecting emails from these large retailers or banks.

As a result Epsilon’s clients have started warning their customers to be alert for unusual or suspicious emails. Best Buy sent an email to its customers where is said:

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.”

JPMorgan Chase released a statement about the breach: “We are advised by Epsilon that the files that were accessed did not include any customer financial information, but are actively investigating to confirm this. As always, we are advising our customers of everything we know as we know it. Chase will never ask customers for personal information or credentials in an email.”

Update: Marriott International, Inc. has also sent a similar sounding email to its customers – “However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.