04
Apr 11

Epsilon Breach Raises Specter of Spear Phishing

Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.

Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result.

Among Epsilon’s clients affected are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach (a list of companies known to have been impacted is at the bottom of this post).

Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.

“I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”

Crooks used very similar spear phishing methods to steal customer contact information from dozens of email marketing firms late last year, as KrebsOnSecurity.com first reported in detail. In the wake of that assault, data spills at other email marketing firms like SilverPop have prompted disclosures from clients such as TripAdvisor and Play.com.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE) and a former executive at email service provider ReturnPath, said his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.

“There are best practices that the major of the industry should have implemented a year ago, but never did, and it’s just disgusting and reprehensible that they haven’t done this stuff yet,” Schwartzman said. “I’ve talked to people in other industrial sectors who said if my external auditors found out we were treating customer data this way, we’d be in serious trouble.”

Schwartzman said Internet service providers should start treating even opt-in commercial email as “highly circumspect.”

“To protect users, ISPs should be upgrading anti-phishing facilities, and demanding strict compliance with anti-spam [standards],” Schwartzman said. “At this point, the email senders certainly are in the ring with Mike Tyson in his prime.”

Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said the breaches at Epsilon and other email senders should never have happened.

“The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could prevent this,” Zittrain wrote in an email to KrebsOnSecurity.com. “Worse, customers who specifically asked to opt out of marketing emails were also affected.  Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”

Zittrain said he received notices from two of the companies impacted by the Epsilon breach, and that neither company mentioned the source of the problem.

“Reminiscent of credit card companies’ reporting of merchant breaches — they do not say who lost the data,” Zittrain said. “Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”

It’s not clear how many more disclosures are still to come. Epsilon declined to comment beyond its sparse four-sentence statement. The company’s site says Epsilon serves approximately 2,500 clients, and sends about 40 billion marketing messages for clients annually.

The stock price for Epsilon’s parent company, Alliance Data Systems Corp. (NASDAQ: ADS) was down $4.77 per share, or 5.55 percent, in mid-day trading Monday.

Here is a list of companies that have acknowledged losing customer contact data and email addresses as a result of the Epsilon breach. Got a notice from a company that’s not already on this list? Sound off in the comments below.

Update, 3:14 p.m. ET: If at all possible, please paste a copy of the communication in your comment only if you don’t see the name of the affected entity in the list below. Databreaches.net has links to some of the disclosure letters, which I will try to add to the individual brand names below as well. Early reports suggested Borders and Verizon had also issued alerts, but those are unconfirmed and have been removed from the list for now.

Update, 3:22 p.m. ET: Heard back from the PR folks at Borders, who said the company was not impacted by the Epsilon breach.

Update, 5:14 p.m. ET: Corrected the number of clients Epsilon currently has and the volume of email they send annually.

Update, Apr. 5, 11:01 a.m. ET: Visa says it was not impacted by the Epsilon breach.

Update, Apr. 5, 3:42 p.m. ET: Added Bebe, Soccer.com, Eddie Bauer, 1800Flowers, among others. Removed American Express, which says it was not affected. It seems the confusion over Amex and Visa stemmed from cardholders getting notices through various rewards programs.

  • 1800-Flowers
  • Abe Books
  • Air Miles CA
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Beachbody
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Charter Communications (Charter.com)
  • Chase
  • Citibank
  • City Market
  • The College Board
  • Crucial.com
  • Dell Australia
  • Dillons
  • Disney Vacations
  • Eurosport/Soccer.com
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • GlaxoSmithKline
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Lacoste
  • Marks & Spencer (UK)
  • Marriott Rewards
  • McKinsey Quarterly
  • Moneygram
  • M&T Bank
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Scottrade
  • Smith Brands
  • Target
  • TD Ameritrade
  • TIAA-CREF
  • TiVo
  • US Bank
  • Verizon
  • Viking River Cruises
  • Walgreens
  • World Financial Network National Bank

Tags: , , , , , ,

160 comments

  1. To our valued guests,

    Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement.

    While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised. Target would never ask for personal or financial information through email.

    Consider these tips to help protect your personal information online:
    Don’t provide sensitive information through email. Regular email is not a secure method to transmit personal information.
    Don’t provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email.
    Don’t open emails from senders you don’t know.
    We sincerely regret that this incident occurred. Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information. Please contact Guest.Relations@target.com should you have any additional questions.

    Sincerely,

    Bonnie Gross
    Vice President, Marketing and Guest Engagement

    • Wow. Thanks Saprenee!

    • To our valued guests,

      Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement.

      While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised. Target would never ask for personal or financial information through email.
      Consider these tips to help protect your personal information online:

      * Don’t provide sensitive information through email. Regular email is not a secure method to transmit personal information.
      * Don’t provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email.
      * Don’t open emails from senders you don’t know.

      We sincerely regret that this incident occurred. Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information. Please contact Guest.Relations@target.com should you have any additional questions.

      Sincerely,

      Bonnie Gross
      Vice President, Marketing and Guest Engagement

    • Here’s something to think about…

      I just got an warning email from target. I’m not clicking on ANY link in ANY email because the bad guys are clever enough to send out similar emails with links that can download malware.

      Regardless the company, they should NEVER include hyperlinks in their email. The best practice would be to provide the URL or email address and not make it an email hyperlink. This way consumers can manually type in the email if we have further questions because this increases the odds it reaches the correct company and is not a link that downloads malware.

      If we’re going to be security conscious, we should think one step ahead of the bad guys.

      • While I agree in principle, the fact is that many email clients (even some web-based ones) automatically convert URLs into hyperlinks. Browser add-ons can also do this. So simply omitting hyperlinks in favor of bare URLs is not a panacea.

        • You are correct…

          Maybe a better approach would be for the company to direct them to their legitimate secured website and have a webpage that provides more detailed/educational information.

          Companies requesting our emails must make every effort to educate consumers about avoiding spamm, phishing and spyware downloads from links.

          Here’s something else to consider.

          Because the point of most spyware/malware is to obtain private login information by way of downloading undetectable “keyloggers” on your computer, avoiding sending emails with any clickable links should becomea practice adopted by all companies.

          • This is an excellent point. I was interviewed by several publications today, and one common question I got was, so what’s going to happen now? Are they really going to start phishing people? And my reply was, well, if you’re a bad guy, what the best bang for your buck?: Stealing one password with a phishing site, or convincing someone to install malware or click a link that installs malware that steals all of your passwords?

          • While we’re on the subject of educating, we consumers are in need a backup plan in the event undetectable malware is installed on our systems from such attacks that might ensue from stolen emails.

            I encourage people to check out my firm’s site to gain a little more insight on the truth and the myths:

            http://www.SecureMySocialNetworking.com

            At the very least, the information there may be an affirmation of what you know or eye opening to what you need to understand so you aren’t always a victim.

  2. Here’s a similar one that just arrived from Hilton Honors, signed by a Senior VP:

    “Dear Customer:
    We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

    • Do not open e-mails from senders you do not know

    • Do not share personal information via e-mail

    Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of “phishing” e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.

    As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.”

  3. Woops — someone had already posted that from Hilton…sorry.

  4. I received and deleted an email from Oil Can Henry’s asking for me to confirm my email and contact information this morning…, Yes i am on there list though there is no need for them to confirm this. Wondering if they need to be added to your list.

  5. Dear Guest,
    We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system. We use our email service providers to help us manage the large number of email communications with our guests. Our email service providers send emails on our behalf to guests who have chosen to receive email communications from us.

    How will this affect you? First, we want to assure you that your name and email address were the only information that was compromised. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information. As a result, you should be extremely cautious before opening links or attachments from unknown third parties or providing a credit card number or other sensitive information in response to any email. Also know that Red Roof will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from Red Roof.

    We appreciate your business and loyalty to Red Roof and take your privacy very seriously. We will continue to work diligently to protect your personal information.

    If you have any questions regarding this incident, please contact us at 877.733.7663 between the hours of 9am and 5pm Eastern.

    Sincerely,
    Brenda Eddy Manager, Loyalty Marketing
    Red Roof Inns, Inc.

  6. I got the same email as above from Target too.

  7. Too Many Secrets

    Target email

    To our valued guests,

    Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement.
    While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised. Target would never ask for personal or financial information through email.
    Consider these tips to help protect your personal information online:
    Don’t provide sensitive information through email. Regular email is not a secure method to transmit personal information.
    Don’t provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email.
    Don’t open emails from senders you don’t know.
    We sincerely regret that this incident occurred. Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information. Please contact Guest.Relations@target.com should you have any additional questions.
    Sincerely,
    Bonnie Gross
    Vice President, Marketing and Guest Engagement

  8. Hi Brian,

    Thanks for the great post. Here’s a thoughtful post by the CEO of esp, Sailthru on how to avoid an Epsilon style leak. Thought you would find it interesting:

    http://bit.ly/dDZsjy

  9. Steven Stroud

    Not sure if this is related, but I had a note last week from the IEEE advising that some email addresses had been compromised.

    Unfortunately, I did not keep the email.

  10. Chase emailed me the following earlier this afternoon:
    ———–
    Note: This is a service message with information related to your e-mail address.
    ++

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    * Don’t give your Chase Online(SM) User ID or password in e-mail.
    * Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    * Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    * Don’t reply to e-mails asking you to send personal information.
    * Don’t use your e-mail address as a login ID or password.

    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office
    ++

    If you want to contact Chase, please do not reply to this message, but
    instead go to Chase Online. For faster service, please enroll or log in to
    your account. Replies to this message will not be read or responded to.

    Your personal information is protected by advanced technology. For more
    detailed security information, view our Online Privacy
    Notice.
    To request in writing: Chase Privacy Operations, P.O. Box 659752, San
    Antonio, TX 78265-9752.

    JPMorgan Chase Bank, N.A. Member FDIC
    © 2011 JPMorgan Chase & Co.

    LCEPAEM0311

  11. Got my 4th notification, this time from TARGET, which wasn’t on the list! This may be more wide-reaching than anybody thought.

  12. Gerard Mc Namara

    This is from TD Ameritrade’s website:

    Epsilon, one of our marketing vendors, has notified us that an unauthorized party has accessed its files, which include some TD Ameritrade client names and email addresses. Epsilon does not have TD Ameritrade client financial information or Social Security Numbers, and has informed us that only client names and email addresses were acquired. This has affected other companies in the financial and retail sectors as well. We are monitoring for spam and the potential for any phishing activity (attempts to obtain your personal information). While we are not aware that our clients have seen evidence of this, please be alert to the possibility that it could occur. We want you to know that TD Ameritrade will never ask you via email for your account number, UserID, PIN or password. More information.

  13. This is the public website, but you need a password to access the page with the message:

    http://www.tdameritrade.com/welcome3.html

  14. I guess you can add Airmiles Canada to that list. Just received that email about ten minutes ago…

    https://www.airmiles.ca/arrow/Splash?splashId=13100102

    Looks a lot like the others.

  15. The AIR MILES® Reward Program was informed by our email service provider that they had an unauthorized entry into their email platform, which is the system used to send AIR MILES emails. We have been assured that the only information that may have been exposed was first name, last name and email address of some of our Collectors. Details of your account are not stored in this system and were not at risk.

    Please note it is possible you may receive spam email messages as a result. We want you to be cautious when opening links or attachments from unknown third parties. We want to remind you that AIR MILES will never ask for your personal information or login credentials in an email. As always, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email.

    As a reminder, we recommend that you:
    • Don’t give your AIR MILES Collector number or PIN in email.
    • Don’t respond to emails that require you to enter personal information directly into the email.
    • Don’t respond to emails threatening to close your account if you do not take the immediate
    action of providing personal information.
    • Don’t reply to emails asking you to send personal information.

    We regret that this has taken place and apologize if this causes you any inconvenience. We take your privacy very seriously and we will continue to work diligently to protect your personal information.

    If you have any questions please contact us at question@airmiles.ca or 1-888-AIR MILES.

  16. Dear Customer:
    We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

    • Do not open e-mails from senders you do not know

    • Do not share personal information via e-mail

    Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of “phishing” e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.

    As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.

    Sincerely,
    Jeffrey Diskin
    Senior Vice President, Customer Marketing
    Hilton Worldwide

  17. Thanks for your post and keeping a running list. I see 10 companies with whom we do business yet only 2 have contacted us.

    Ironically, I signed up for Best Buy Rewards and Target on the day of the breach. Talk about bad timing!

    This is the most helpful post I have seen thus far regarding the Epsilon breach.

    Thanks a million for being so helpful.

  18. did you give out your personal e-mail address to a company in person or on a website? if so, the fool is YOU!

    • Doesn’t matter how the company obtained it… in person (has to be entered into a system to be of any use) or via the web. Once it’s in their system it’s vulnerable to hijacking if there is a breach.

      • Thanks, Brenda, but this is an obvious loser. We shouldn’t have even wasted any time with him. There’s 3 seconds we can’t get back.

    • Really? This coming from a guy whose has the same father as his mother.

      Crawl back under your trailer with the rest of your redneck uncle-brothers!

      Freakin’ idiot!

      LMBO!

  19. Hubby received his E-formletter from Best Buy Rewards this morning. Yada yada yada…

  20. Okay…with all of this going on what are WE the consumer supposed to do. I got a notice from US Bank and Chase Bank. I mean is there anything that i could or is it already too late?

  21. Most likely you’ll get lots of notices from what I hear on the news regarding all the major companies Epsilon supports.

    At this point, avoid giving out any personal information to anyone.

    If you’re worried about not knowing if an email is legit, pick up the phone and call the company. It’s a good safe practic NOT to call any phone number given in any emails also because they can be fraudsters connected with phishing emails.

    You really should go to our website http://www.SecureMySocialNetworking.com and see how else you can protect yourself… at the very least, protect all your usernames and passwords from being stolen my keyloggers.

    Just a suggestion if you want to do something proactive… or as proactive as you can at this point.

  22. No e-mail notices YET from Capital One, which took over ChevyChaseBank a couple of months ago.

    ALSO, Brian

    Any idea what is happening in the gross failure [it seems] of the Comments Section of your old employer, The Washington Post. The Post Ombudsman claims that ever since the new Comments section went up in March, they have been having major issues with many folks who are signed up properly, but whose comments don’t get posted. Tech support left a voice mail suggesting the issue may be browser specific, but if that is so, then Firefox, SeaMonkey, Opera, Chrome and even IE all seem to be failing in my recurring posting efforts about Libya. UGH !!!

  23. Hmm, someone asked what consumers should do. I think we should file class action lawsuits against these damn companies. I’m one of these people who thinks that our country is too sue-crazy, but, in this case, I’d love to see a huge lawsuit happen. I’m tired of companies not doing enough to protect critical consumer information. Everything from “lost” laptops to security breaches should not happen. Joe Schmoe who has a job where he carries around a company laptop with info on a million consumer accounts should not be leaving it in the trunk of his car while he runs into a mall to shop for a new dress shirt. And, companies, like Epsilon, who are responsible for so much critical consumer data should be encrypting the crap out of this information. I’m just tired of these companies getting a slap on the wrist. Maybe if they were held accountable more often, they’d take things a little more seriously. A-holes!

    • Donna, I feel your pain and angst.

      Here’s the problem… Big companies have deep lawyer pockets, deep pockets to pay for lobbyists, big checkbooks to keep the politicians who are charged with enforcing the very consumer protection they draft are disinterested. The story theme is the same… not enough resources to enforce the laws.

      Good luck finding a lawyer with the backbone to stand up and face corporate lawyers who are paid to defend reckless oversight.

      We only have to look at the FTC and Congress who backed down to the lawsuit pressure from the AMA and the ABA. As a result, Congress actually went in and changed the definition of creditors so that lawyers and healthcare professionals wouldn’t have to comply with the law… the very law that was enacted to protect our information.

      In other words, it’s a big circle jerk.

    • Thanks for your insight, Brenda. Unfortunately, I know you’re probably correct. Companies with deep pockets and policy makers who are in bed with them run the world. Selfish and greedy people in higher places than we’re in screw us as usual. I’m pissed off about this and other things and am tired of ignoring them. Even though I probably can’t do much alone, I’m hoping that at least a few more people feel pissed off enough to also voice their anger. Right after my initial post on this site, I wrote my first email to the White House about how there seems to be a lack of government involvement when it comes to protecting us and punishing companies that don’t take securing our information seriously. Even if it does nothing, I feel better that I’m not just sitting back and not trying. Maybe slowly, more and more of us in the pee-on class will be able to yell loud enough to make a difference.

      • I encourage people to voice their discontent.

        Actually, I recommend you email the Federal Trade Commission and your state Attorney General as these are the agencies charged with enforcing consumer privacy/security laws.

    • Don’t let the companies on the list off the hook. The problem is not with Epsilon. The problem is with the companies on the list that did business with a company (Epsilon) and did not ensure the data they gave Epsilon was secure.

      • Just as an FYI, every company collecting, storing, disposing and SHARING personal information is required to secure such under state identity theft and privacy laws… and in many cases, under federal law Red Flags Rule.

        No company handling non-public personal information escapes the responsibility to keep PI secure. Companies violating these laws are subject to state and federal fines including cival lawsuits.

        And as an FYI, some state laws consider email addresses personal information.

        Will states fine Epsilon for negligence? Only if pressure in put upon the State Attorney Generals to do so I’m afraid. I doubt any AGs will step up to the plate to protect the millions affected by this breach unless there is evidence a large number of people have had their accounts compromised.

  24. @ Donna C. I 100% agree with you. Some of us may not be affected at all, but what about the people that are? We just sit around and screen every email we get….worried that we have been hacked. While the BIG people say sorry and continue on with w/ever life they do have. This is crap and I should not have to suffer for others F*ck up.

    • Monica…
      Yes, we shouldn’t have to suffer for other companies’ f*ck ups. Epsilon was TRUSTED with all this info, and they didn’t do enough to protect it. I read several articles about this breach, some on well-known computer websites and some on web security industry websites. All the articles basically stated that this should never have happened. They all said that Epsilon should’ve had all that consumer info encrypted. If it was, then they wouldn’t have caused what some major news sites are calling the biggest breach in US history. Thanks, Epsilon, you a-holes!

  25. To anyone who understands the technical aspect of how email works, please tell me if this is an idea that could help.

    If we setup another email address to use ONLY with the affected companies so that we now have ONE email address associated with those companies and know that any legitimate emails from them going forward will be addressed to us only at this new email address. Therefore, if and when we receive an email from any of these companies at any address other than the new one we set up, we will know immediately that it is from the hackers and can turn it in to whomever is handling the investigation.

    This does not address the larger issues but might help trackback to the hackers.

    Email experts, technology folks, please respond and let me know if this could work in the manner I think it can.

    Thanks in advance for sharing your feedback.

    • It probably won’t work in the manner you think it will to assist law enforcement in an investigation. If the individuals behind this theft get caught, it will be because they left incriminating evidence in or around Epsilon. Most likely the person that stole these email addresses will re-sell them to a true spammer for use.

      However changing your primary email address after this breach is an excellent strategy to avoid spam and phish. I would recommend that approach if you are looking to get proactive.

    • I do what you suggested. I own a domain and my host provides lots of e-mail addresses, as well as aliasing. So if I was a Kroger customer, I would set up an alias lroger@mydomain, and use that address for Kroger only. If I received anything at that address, if would be because Kroger sent it or someone who got the address from them. Should it become a problem, I would delete the alias.

      The nice thing about aliases and forwarding addresses is that to the rest of the world, they look like a normal e-mail address. However, they all route to you primary mailbox, so you don’t have to check a lot of e-mail addresses. Even though they land in your main mailbox, they still show which alias they sere sent to. (At least that’s how it works with my provider.)

      Anyone could do this with a bunch of free e-mail accounts. The problem is routinely checking all those accounts.

  26. I didn’t see 1800Flowers on your list…

    Dear 1800Flowers.com Customer:

    One of our email service providers, Epsilon, has informed us that we
    are among a group of companies affected by a data breach that may
    have exposed your email address to unauthorized third parties.
    It’s important to know that this incident did not
    involve other account or personally identifiable information.
    We use permission-based email service providers such as Epsilon
    to help us manage email communications to our customers.

    We take your privacy very seriously and we work diligently to ensure
    your private information is always protected. Epsilon has assured
    us that no private information, other than your email address,
    was involved in the incident. We regret any inconvenience
    that this may cause you.

    Because of this incident, we advise you to be extremely cautious
    before opening emails from senders you do not recognize.

    We thank you for your understanding in this matter.

    Sincerely,

    Bibi Brown
    Director, Customer Service

  27. I first notified Hilton about the Data breach on 27th of September 2010 – repeatedly since. Emails, faxes, phonecalls. ZERO RESPONSE. Now over 6 months later, they are owning up. The real danger is their tardiness in only now partially advising victims. How many have already fallen prey to the ‘Hilton’ emails requesting victims to update their Skype or Acrobat!

    How do I know it was Hilton? When I registered, I used the unique email address hh@mydomain.xx.uk

    Yes this problem is worldwide, not just the US. Here they are in breach of the Data Protection Act 1998

  28. Jacer83

    You actually want to continue doing business with the companies that sent out all the generic sorry about your inconvenience, followed by, we’re serious about your privacy?

    If you are in driving distance to the company, go see the manager, if too distant call their home office. Flood them with bitchy calls.

  29. From MoneyGram

    We have been informed by Epsilon, a service provider that sends emails on our behalf to our customers, that files containing your first and last name and email address were accessed by an unauthorized entry into their computer system. MoneyGram was one of a number of companies impacted by this incident. According to Epsilon, the personal information that was compromised does not include any customer financial information.

    As a result of this incident, you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails attempting to solicit personal or financial information. You should be extremely cautious before opening links or attachments from unknown third parties or providing sensitive information in response to any email. If you receive an email that appears to be from MoneyGram asking for personal information, delete it or forward it to TransactionSecurity@moneygram.com. It did not come from MoneyGram.

    Please remember that MoneyGram will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.

    If you have questions regarding this incident, contact us at 800-926-9400. We regret any inconvenience this may cause you.

  30. Dear 1800Flowers.com Customer:

    One of our email service providers, Epsilon, has informed us that we
    are among a group of companies affected by a data breach that may
    have exposed your email address to unauthorized third parties.
    It’s important to know that this incident did not
    involve other account or personally identifiable information.
    We use permission-based email service providers such as Epsilon
    to help us manage email communications to our customers.

    We take your privacy very seriously and we work diligently to ensure
    your private information is always protected. Epsilon has assured
    us that no private information, other than your email address,
    was involved in the incident. We regret any inconvenience
    that this may cause you.

    Because of this incident, we advise you to be extremely cautious
    before opening emails from senders you do not recognize.

    We thank you for your understanding in this matter.

    Sincerely,

    Bibi Brown
    Director, Customer Service

    Security & Privacy