Massive Hack of Top E-Marketer May Leave Millions Open to Phishing Attacks

The databases of the world's largest email marketer were hacked last week, which means customers of major brands such as Citi, Marriott and Disney may soon find their in-boxes filling up with phishing scams.

Epsilon hosts databases of more than 2,500 clients, including seven of the Fortune 10, which they use to market to millions of customers. On April 1, Epsilon released the following brief statement:

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

The company gave no further details about the number of clients whose databases were hacked, or the number of consumers whose names and emails were stolen.

An Epsilon spokeswoman said she was unable to comment on any specifics of the security breach beyond the information provided in the company's official statement.

Epsilon, which describes itself as "the world's largest permission-based email marketing provider," sends more than 40 billion emails annually, so the number of stolen names and email addresses may well number in the millions.

Because the hackers managed to steal both names and email addresses of consumers, identity thieves may be able to use them to penetrate home computer defenses by sending targeted phishing emails from supposedly trusted sources.

Target phishing attacks, also known as "spearphishing," are often successful in getting unsuspecting consumers to reveal passwords, social security numbers and other sensitive information.

Although Epsilon's not naming names, Security Week published the following list of Epsilon clients whose databases it says were among those hacked:
  • Kroger
  • TiVo
  • US Bank
  • JPMorgan Chase
  • Capital One
  • Citi
  • Home Shopping Network (HSN)
  • McKinsey & Company
  • Ritz-Carlton Rewards
  • Marriott Rewards
  • New York & Company
  • Brookstone
  • Walgreens
  • The College Board
  • Disney Destinations
  • Best Buy
The Associated Press reported that the databases of Epsilon clients Barclays Bank and Ethan Allen were also hacked. If you're a customer of one of these companies, don't be surprised if you receive an email from them warning you to be on the lookout for phishing scams. Here's a copy of one such an email sent by Chase, which includes good advice for customers of any Epsilon client whose email was compromised:

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send emails, that an unauthorized person outside Epsilon accessed files that included email addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer email addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an email. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase's practice to request personal information by email.

As a reminder, we recommend that you:

  • Don't give your Chase OnlineSM User ID or password in email.
  • Don't respond to emails that require you to enter personal information directly into the email.
  • Don't respond to emails threatening to close your account if you do not take the immediate action of providing personal information.
  • Don't reply to emails asking you to send personal information.
  • Don't use your email address as a login ID or password.

The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at and click on "Fraud Information" under the "How to Report Fraud." It provides additional information on exercising caution when reading emails that appear to be sent by us.

Patricia O. Baker
Senior Vice President
Chase Executive Office

Hackers also broke into TripAdvisor's servers last month, making off with an unknown number of emails from the popular travel site, which boats 20 million members.
Read Full Story