April 4, 2011

Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.

Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result.

Among Epsilon’s clients affected are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach (a list of companies known to have been impacted is at the bottom of this post).

Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.

“I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”

Crooks used very similar spear phishing methods to steal customer contact information from dozens of email marketing firms late last year, as KrebsOnSecurity.com first reported in detail. In the wake of that assault, data spills at other email marketing firms like SilverPop have prompted disclosures from clients such as TripAdvisor and Play.com.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE) and a former executive at email service provider ReturnPath, said his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.

“There are best practices that the major of the industry should have implemented a year ago, but never did, and it’s just disgusting and reprehensible that they haven’t done this stuff yet,” Schwartzman said. “I’ve talked to people in other industrial sectors who said if my external auditors found out we were treating customer data this way, we’d be in serious trouble.”

Schwartzman said Internet service providers should start treating even opt-in commercial email as “highly circumspect.”

“To protect users, ISPs should be upgrading anti-phishing facilities, and demanding strict compliance with anti-spam [standards],” Schwartzman said. “At this point, the email senders certainly are in the ring with Mike Tyson in his prime.”

Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said the breaches at Epsilon and other email senders should never have happened.

“The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could prevent this,” Zittrain wrote in an email to KrebsOnSecurity.com. “Worse, customers who specifically asked to opt out of marketing emails were also affected.  Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”

Zittrain said he received notices from two of the companies impacted by the Epsilon breach, and that neither company mentioned the source of the problem.

“Reminiscent of credit card companies’ reporting of merchant breaches — they do not say who lost the data,” Zittrain said. “Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”

It’s not clear how many more disclosures are still to come. Epsilon declined to comment beyond its sparse four-sentence statement. The company’s site says Epsilon serves approximately 2,500 clients, and sends about 40 billion marketing messages for clients annually.

The stock price for Epsilon’s parent company, Alliance Data Systems Corp. (NASDAQ: ADS) was down $4.77 per share, or 5.55 percent, in mid-day trading Monday.

Here is a list of companies that have acknowledged losing customer contact data and email addresses as a result of the Epsilon breach. Got a notice from a company that’s not already on this list? Sound off in the comments below.

Update, 3:14 p.m. ET: If at all possible, please paste a copy of the communication in your comment only if you don’t see the name of the affected entity in the list below. Databreaches.net has links to some of the disclosure letters, which I will try to add to the individual brand names below as well. Early reports suggested Borders and Verizon had also issued alerts, but those are unconfirmed and have been removed from the list for now.

Update, 3:22 p.m. ET: Heard back from the PR folks at Borders, who said the company was not impacted by the Epsilon breach.

Update, 5:14 p.m. ET: Corrected the number of clients Epsilon currently has and the volume of email they send annually.

Update, Apr. 5, 11:01 a.m. ET: Visa says it was not impacted by the Epsilon breach.

Update, Apr. 5, 3:42 p.m. ET: Added Bebe, Soccer.com, Eddie Bauer, 1800Flowers, among others. Removed American Express, which says it was not affected. It seems the confusion over Amex and Visa stemmed from cardholders getting notices through various rewards programs.

  • 1800-Flowers
  • Abe Books
  • Air Miles CA
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Beachbody
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Charter Communications (Charter.com)
  • Chase
  • Citibank
  • City Market
  • The College Board
  • Crucial.com
  • Dell Australia
  • Dillons
  • Disney Vacations
  • Eurosport/Soccer.com
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • GlaxoSmithKline
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Lacoste
  • Marks & Spencer (UK)
  • Marriott Rewards
  • McKinsey Quarterly
  • Moneygram
  • M&T Bank
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Scottrade
  • Smith Brands
  • Target
  • TD Ameritrade
  • TIAA-CREF
  • TiVo
  • US Bank
  • Verizon
  • Viking River Cruises
  • Walgreens
  • World Financial Network National Bank

160 thoughts on “Epsilon Breach Raises Specter of Spear Phishing

  1. Mike B.

    I’ve received six notifications so far! I hope these companies stop doing business with these idiots!

    1. eCurmudgeon

      I hope these companies stop doing business with these idiots!

      I’m hoping the FTC and other federal agencies come down on Epsilon like the Wrath Of God. This needs to be a business-ending event, with Epsilon being put up on a post as a warning to others…

  2. Heather

    You have the most up to date list of affected companies and best write up I’ve seen on this. I got a notice from Best Buy but nothing from Verizon yet. Did Epsilon remove their statement from the website?

  3. Martijn Grooten

    Good post, Brian and thanks for writing about this again. I too think this is more than just an isolated incident.

    A bit of nitpicking though: is it correct to call Return Path an “email service provider”? I thought that terminology was reserved for the kind of company Epsilon is.

    1. BrianKrebs Post author

      Hi Martijn. Thanks for your comment. RP seems to be in the email delivery business. I’m curious what would you call them?

      1. Martijn Grooten

        Most accurately would be an ESPSP as they provide services to ESPs. 🙂 Perhaps “deliverability experts” or something along those lines?

        1. BrianKrebs Post author

          ESP is already a euphemism for many people, seeing how vehemently folks tend to feel about stuff they perceive as unwanted or unsolicited in their inbox. I couldn’t ever imagine using a term like ESPSP in a story, or a loaded term like “deliverability experts.”

          1. Pedro Montoya

            To clarify how Return Path works:

            They have “seed” email accounts that their clients add to their distribution list. When a client sends a batch email, Return Path monitors if the batch message gets flagged as spam by the major email services, and then works with those providers to get it de-listed from the spam flag.

            This is what’s meant by “deliverability” experts – they work with clients to make sure that messages get to the inbox of the end customers.

            As far as taxonomy, i’d call them an email service provider, but they do not do any message delivery themselves.

          2. Tami Forman

            Hi guys! As some commenters note, we don’t send email on behalf of clients. The services we offer include monitoring of inbox placement through seedlists, monitoring of IP reputation through our cooperative data network and email certification (whitelisting). Obviously that’s a mouthful, so in short we usually use “email reputation monitoring service provider” or even just “email certification service” as that is one of our main businesses and much of our work is aimed at getting clients eligible for certification. We agree that “deliverability” can be a loaded term and not well understood outside the echo chamber, though we are certainly often referred to by industry folks as a “deliverability services provider.”

            Hope that helps clarify!

  4. guideantivirus

    Hello,

    I’m curious to see the ripples of this in Europe, regarding the recent increase in phishing attacks.

  5. Moike

    >his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.

    Encryption – not a panacea for the problem. It would present little more than a speed bump to those who want Email addresses. Consider that the mailer program would need decryption keys to function. So now those keys are protected… there are logs. Just steal the logs to get a large subset of addresses. So logs must be sent to a write-only destination. All commercial email sending providers finally protected? Just steal the incoming email logs from any large provider and correlate IP address to extract legitimate lists.

  6. a problem with spam?

    damn, some spammers made a serious ammount of money from these lists

  7. Frank

    My spam has increased a lot recently. So far Best Buy Rewards is the only one to notify me. I do business with others on that list. I’m especially surprised that the banks have been silent, as are the news programs.

    1. JBV

      Is your ISP filtering out the notices as being spam?

      KTVU (Fox) in San Francisco did a story on the Walgreens breach on last night’s news, but did not mention any other companies.

  8. Alan

    no notifications recieved yet from three mentioned Businesses
    on your list.

    1. BrianKrebs Post author

      Well, keep in mind that Epsilon may have been handling messaging for only a subset of the customers of the clients listed. For example, they might have been only handling email for a specific division of one of the companies named.

  9. gnomic

    Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

    Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

    If you have concerns, you are welcome to call Kroger’s customer service center at 1-800-Krogers (1-800-576-4377).

    Sincerely,

    The Kroger Family of Stores

    via http://krogermail.com/1e84e0c2alayfousibljnj7qaaaaabchgfkkciz4izeyaaaaa

  10. Mike

    I have done business with three of the organizations on the list and none of them has contacted me about the breach.

  11. Andy H.

    Here is what I received from Abe Books:

    Epsilon Informs AbeBooks of E-mail Database Breach

    We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.

    As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.

  12. Sherry Chupka

    I got this message from HSN (home shopping network)

    April 2, 2011

    Dear HSN Customer,

    HSN values your trust and wants to make you aware of a recent incident. We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals. This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible. We apologize for any inconvenience and have outlined below a number of email safeguards to help ensure your privacy online.

    Email scams, spam, and other attacks on email systems are on the rise, but, by taking certain precautions when receiving emails, you can continue to safely use email for your business and personal needs:

    * Don’t open links or attachments from people you don’t know and trust.
    * Don’t provide personal, financial, or other sensitive information when asked to do so by email. Most reputable companies do not ask for such information by email, and, rest assured, we will not do so.
    * If you receive an email appearing to come from us that does ask you for sensitive information, do not respond, click on any links, or download any attachments. Instead, please inform us immediately at the toll-free number or email address provided below.

    We take your privacy very seriously and work diligently to protect your information, whether held by us or by our service providers. HSN’s internal databases, which store all customer-provided data, were in no way compromised. Our email provider has taken significant steps to further protect the limited customer information held in its databases. If you have any questions or concerns regarding this incident, please contact us toll free at 1-800-933-2887 or email us at customerservice@hsn.com.

    Sincerely,
    Gregg Stallwood
    Senior Vice President, Customer Care – HSN

    Please do not reply to this email. If you would like to contact us, please call us toll free at 1-800-933-2887 or email us at customerservice@hsn.com.
    HSN Interactive LLC | Attn: Customer Service | 1 HSN Drive | St. Petersburg, FL 33729‪

  13. Kevin

    Wondering what sort of liability Epsilon has to those affected.

    1. PaulJ

      I would guess that since the ‘only’ stated negative effect will be more spam for the impacted users, Epsilon will disclaim any liability.

  14. dotzero

    As usual, good article Brian. You list 35 companies so we can expect another 15 or so if the NYT article is correct where it indicated that approximately 2% of Epsilons 2500 clients were impacted.

    A couple of interesting points:

    1) A significant percentage of the companies appear to be using some or all boilerplate which I’m guessing was provided by Epsilon;

    2) None of the impacted companies appear to be calling out that they are engaged in practices such as strong SPF records, DKIM signing all mails from their domains and/or the use of EV certs for their websites (“Look for the green bar”).

    Other than making generic statements such as “Your personal information is protected by advanced technology.” I don’t see much communicated that would be useful to endusers.

    1. Jane

      I noticed that too. What particularly got to me was the variations on “CONTINUE to work diligently.” Everything I’ve read so far indicates that Epsilon failed to protect the information almost AT ALL and the affected companies failed in “due diligence” to find out about their data handling.

  15. JS

    It’s I guess perhaps a sensible practice to email a message about email breach.

    The tie back to a legitimate contact is a phone, an email, or a postal address but not a website… is it me or is that so 90’s.

    Too bad the companies don’t link back to their own site’s SSL signed page for major formal corporate announcements. This verifiable place then securely points to the 1 800 helpdesk or customer contact form/id.

    Seems that in keeping announcements email the businesses can quietly “submerge” the issue.

    Perhaps its IT professionals need to suggest data breaches ought to be at the same level of publication like ad misprints or mistakes which have to be published.

  16. Andy H.

    From The College Board:

    We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.

    Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.

    Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

    In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.

    Epsilon has reported this incident to, and is working with, the appropriate authorities.

    We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    Sincerely,

    The College Board

  17. Karen

    Just received notification from Ethan Allen.

    1. BrianKrebs Post author

      Hi Karen. Can you post the entirety of the Ethan Allen notice here, or forward it to me at

      krebsonsecurity at gmail dot com

      Thanks.

      1. Shawn

        I got a letter from EthanAllen as well:

        This email was sent to you by Ethan Allen.
        Please add ethanallenstyle@email.ethanallen.com to your address book. This will ensure delivery to your inbox.
        Having difficulty viewing our email? View this email in a browser window.

        You received this email because you requested Ethan Allen’s email updates.
        To unsubscribe from our emails, please click here.

        View our privacy policy

        © 2011 Ethan Allen Global, Inc. P.O. Box 1966 Danbury, CT 06813
         

         

         

        1. Shawn

          Sorry, body was an image apparently. Emailing a copy…

  18. Chris

    I found two notices from Barclay’s in Gmail’s spam folder.

  19. AlphaMack

    Just a FYI this is the second time Walgreens has had their customer information compromised.

    As a Gmail user I like to use labels whenever I am asked to provide an e-mail address. If you have a Gmail account, you can modify your e-mail address like this: yourname+label@gmail.com. Then you can set filtering rules based on that modification. Not all sites allow this, so be warned. It’s great when you want to know who is selling your information around. This also means that if you have already been using labels, you’ll have to change them to distinguish the real e-mail messages from the spam.

    1. PaulJ

      AlphaMack, the “plus” addressing is great advice, I used this on a former ISP for years until I started finding user registration forms would not accept “+” as a valid email character. Apparently their email regex’s were not RFC compliant. I didn’t realize Gmail supported it — time to update some addresses for better tracking!

    2. Jane

      Thanks so much! I’ve just been setting up separate gmail accounts. I feel dumb 😀

      I can see the concern about the “+” character. It irritates me when the form won’t allow “dotted.name@” email addresses, too.

  20. Andy H.

    From Chase:

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    Don’t give your Chase OnlineSM User ID or password in e-mail.
    Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    Don’t reply to e-mails asking you to send personal information.
    Don’t use your e-mail address as a login ID or password.

    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office

  21. Maureen

    From Ameriprise Financial:

    We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.

    Please remember, Ameriprise will never ask you for personal or account information through email. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: anti.fraud@ampf.com.

    Consider these tips to help protect your personal information online:
    Don’t email personal or financial information. Regular email is not a secure method of transmitting personal information. Some companies, including Ameriprise Financial, offer a secure email service that you can use when you need to exchange sensitive information.

    Don’t reply to or click on links in email or pop-up messages that ask for personal information. Legitimate companies will not attempt to collect personal information outside of a secure website. If you are concerned about your account, contact the organization mentioned in the email or pop-up.

    Use anti-virus and anti-spyware software and a firewall. Some phishing emails contain software, such as spyware, that harm your computer or track your activities on the Internet. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files.

    Use caution when opening attachments or downloading files from email. These files can contain viruses or other software that can weaken your computer’s security.
    The security of your information is very important to us. If you have questions or concerns, visit our Privacy and Security Center on ameriprise.com or contact an Ameriprise client service representative at (800) 862-7919 (option 2).

    Sincerely,

    George Tsafaridis
    Vice President, Service Delivery

    1. BrianKrebs Post author

      Thanks, T.Anne for pointing that out. I realized after your comment that I’d taken those numbers from a Q4 press release that examined only a portion of their clients and email volume. I’ve updated the blog post with the new information along with a note that I’ve done so.

  22. Teezer

    I wonder who the companies are using to send out their breach notices?

  23. Sam

    I got 2 letters this weekend, one from US Bank and the other from TiVo.

    Dear TiVo Customer,

    Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.

    We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.

    Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

    We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

    Sincerely,
    The TiVo Team

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
    http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

    In addition, if you receive any suspicious looking emails, please tell us immediately.
    Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

    The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

  24. Mike

    Brian, I have the Robert Half and Citi Card notification if you want to see them… What really upsets me is that I never even signed up for Robert Half email, yet somehow my info is in their compromised db.

    1. Karen

      Mike,

      Companies have the right to “rent” email databases to other companies. Consumers have to be diligent about opting out of these practices, as much as possible.

    2. Jeffrey Walton

      Mike,

      The problem is with Citi Group. They are economic terrorist – part of the cause for the recent economic meltdown, receive corporate welfare during the bailouts, certain divisions cannot do business in Japan (for money laundering), etc, etc, etc.

      Change banks to a local, Mom and Pop. You probably enjoy better service and mproved ethics (from the board of directors).

      Jeff

  25. CJ

    From Hilton Honors

    Dear Customer:

    We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

    • Do not open e-mails from senders you do not know

    • Do not share personal information via e-mail

    Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of “phishing” e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.

    As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.

    Sincerely,

    Jeffrey Diskin
    Senior Vice President, Customer Marketing
    Hilton Worldwide

  26. Too Many Secrets

    Walgreen’s email

    Dear Valued Customer,

    On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

    We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon’s email system.

    For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

    We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    Sincerely,

    Walgreens Customer Service Team

    PLEASE DO NOT REPLY TO THIS MESSAGE.
    This is a system-generated Walgreens email. Replies will not be read or forwarded for handling.

    This message was sent to saundrakaerubel@yahoo.com

    Contact Us | Unsubscribe | Update Email Address | Privacy Policy

    Copyright 2010 Walgreen Co., 200 Wilmot Road, Deerfield, IL 60015-4620. All rights reserved.

    1. Jane

      Is there a moderator function or something that can remove TMS’s email?

  27. Bill

    It’s a small step from email addresses to sensitive information like social security and credit card numbers. These companies won’t change their atrocious lack of protection for consumer information until they are forced to. Why should they, it just costs money and adds hassle to a profitable business?

    I suggest that the govt, either under existing authorities or with new laws passed by Congress, make it highly unprofitable for companies that lose data to hackers. Perhaps a dollar for each name the first time, five dollars the next time, and so on. That would give them a profit motive to protect data.

    In addition, a company that used one of these outfits would also be fined, which would provide incentive for them to insist on data protection, and vote with their feet, by moving their business to companies that have solid data protection.

    Nobody wants more regulation, but as it stands, the consumer is totally unprotected because companies don’t have incentives to protect data. What I suggest would change that. What do you think?

  28. Jeffrey Walton

    Important Announcement For BJ’s Visa(R) Customers

    Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that included your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.

    ….

Comments are closed.