Slashdot Mirror
Epsilon Data Breach Bigger Than Just Kroger Customers' Data
wiredmikey writes with an update to the previously reported Epsilon breach: "It turns out that Kroger is only one of many customers affected by the breach at Epsilon, which sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10, to build and host their customer databases. It has been confirmed that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands, a list which continues to grow ..." An anonymous reader points out that U.S. Bank is on the list of affected companies; I wonder how many more phishing attempts this will mean.
Just got this email:
CollegeBoard.com
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
I got a message from tivo today about this exact type of breach, i guess they use this company also although the email was vague on the name of the company and the reason they had my email to begin with.
Erdos, who never married, would greet the sight of a colleague's toddler by exclaiming, "Aha, an epsilon!" Even an absent-minded mathematician would have realized that you don't put customer data in the custody of an Epsilon.
Usually email marketing databases include a lot more than name and email. They can include identifying demographic info such as home address, sex, age, income, and more to allow for message targeting. Now it's possible that these guys only took names and emails as Kroger and US Bank have announced, but I wouldn't be surprised of Epsilon perhaps underplayed the severity of the breach to their clients.
Airplane Photos, Airline News, Planespotting Guides
If this is in retaliation to Microsoft's recent action of disabling a well-known botnet.
I got a similar message from Brookstone tonight. First name and Email only it claims.
because this kind of crap can happen to you. Might not matter for your personal computer, but if you are a corporate account, it could destroy your company.
One can only hope this sheds some light on the way companies routinely share otherwise personal information without full disclosure. Maybe if enough people see the people see all their information being compromised by 3rd-party affiliates they never heard of they'll realize what's going on. They just don't seem to realize (or care) that just by filling out 1 form and handing it to 1 company, dozens of other partner/contractor/affiliate companies get a copy and will likely keep it forever.
It's even worse when they do it with social security numbers or financial data. My school routinely hands social security numbers to other companies as a way of "minimizing liability" because if something happens then they can blame the contractor, as if that somehow minimizes the risk to students. I see this sort of thing happen all to often and it saddens me.
PRINCE MIKE OKOYE.
His Royal Highness Palace.
45 Marina St.,
V/I,Lagos-Nigeria.
Atten: Managing Director.
Dear Sir,
I am Chief Accountant with the National Oil Nigeria
PLC (N/Oil) and member of 5 MAN Contract Executive
Review Panel (comprising 2 Snr.Staff of CBN and 3
Snr,Staff Of (N/Oil) set up by present Civilian Regime
of President Obasanjo. So far we have come across a
surplus of the sum of US$27M.(Twenty-seven Million
Dollars)which was as a result of deliberate
over-invoicing of certain contracts awarded by
Contract Award Committee of the cooperation.
The last installments due has been paid to the various
Contractors, while the said surplus still floats in
our Apex Bank waiting Off-shore remittance which we
want to carry out right now. As civil servants we not
allowed operate foreign account, therefore seek your
assistance in providing enabling Bank Account where
the Fund would be lodged.
25% of the total Sum is for you 5% for expenses during
transaction, and 70% for my colleagues and me.
A friend who is a Staff of World Trading Center (WTC)
here in Lagos made your contact available. Please
notify me of your acceptance to carry out this
transaction through the above E-mail address or fax
number.
I decided to contact you base on the fact that I have
no foreign partner to assist me in executing the
transaction. If you accept to carry out this business
with me, please note that my colleague and me will be
in your Country to receive the fund together with you,
the moment we secure all the necessary approvals.
You should also note that the transaction would only
take (14) fourteen working days.
you can also reply me to my private email
address:princemikeokoye57@safe-mail.net
Best Regards,
Prince mike okoye.
like being able to declare an e-mail address dead, and know that the e-mail provider would be obligated to treat it that way, not just re-issue it to somebody else or whatever they wanted to do.
I've probably had 15 or 20 e-mail addresses over the years, most of them long since lost to attrition. Is somebody using my account now? Maybe. Hope not. At least some of the domains are gone, so I don't have to worry about them, more than likely anyway.
Ah well, not like I needed anything related to them, or any services I signed up for while on them. Even my old paypal account didn't have much money in it when I left it behind.
Pity my financial service provider doesn't have Two-token authentication yet. It's a pity that Blizzard and Square are ahead of them on that regard.
These people are idiots of outsourcing private information like that... that's why I keep all my customer data on my little notepad, which is.. right... um... around here somewhere... hm... oh well, I'm sure I'll find it eventually.
WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
Yet another example of why I'm inclined to avoid "cloud" (once known as hosted) services. Your data is at the mercy of people of unknown competency, working for companies with limited responsibility and questionable longevity.
That's probably because it's cheaper to pay out whatever gets stolen and the government doesn't tell them they have to. I'm not sure how much the tokens cost, but last I heard, using chip and pin for credit cards costs somewhere around $40-50 each time they issue a card.
Here is the US Bank email I just got...
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
.... then we're in trouble
I ran into their awful code back in August, when I was trying to sign in for a Sears email special (hey, I need some cheap tools ...)
the page is still there:
http://www.sears.com/shc/s/dap_10153_12605_DAP_Get%20Connected?adCell=WF
It wouldn't validate my password (say ... for example, "ab1cd2ef"), even though it met all the requirements:
"Password must be at least 8 characters, contain at least one number and one character, not start with a number and not contain any
special characters."
so I dug in a little, and found quite a gem of Javascript !
if (/^[a-zA-Z]+[0-9]+[a-zA-Z]*$/.test(oPass.value) == false) {
alert(invalidMsg);
oPass.focus();
return false;
}
it won't handle the two numbers ...
try it ... go to the sears link up there, and try registering with a password like ("ab1cd2de") ... don't worry, it won't work, so your (hopefully fake) email will be safe ...
if you want to see what's happening, have a look at the script.js file, and searh for the function verifyPass() ... ...
you can even see some commented out code of their previous attempts at implementing this basic functionality
I emailed Sears back in August, telling them where the error was, and a simple way to fix the regex used ... but all I got was an "out of office reply"
ah we.. I still managed to register after all, and have bought a few tools on sale ...
I get bitten by incompetent validation fairly often. A password should not be accepted which is too long without throwing an error, and yet often times I set a 20 character password only to find out later that the maximum length is 16 and that they ignored those last 4 characters.
Whether epsilon has more or less info to disclose isnt as worrying as the companies that hire them. Kroger's and Brookstone don't typically have copie of all your financial information. College Board, who also run the financial aid application system for lots of colleges, has copies of 1040s, w2s, assets, etc.
New york n company also in the list..
Whether epsilon has more or less info to disclose isnt as worrying as the companies that hire them. Kroger's and Brookstone don't typically have copie of all your financial information. College Board, who also run the financial aid application system for lots of colleges, has copies of 1040s, w2s, assets, etc.
Whew! All I can say is - thank goodness Epsilon's not in charge of RSA token security! If that got breached we'd be in REAL trouble!
#DeleteChrome
i just got 2 emails one from US bank and One from Tivo on this
I use my own domain with a different email address or each company. This is anyoing. US bank was already on my S^%&t list for other things.
Not to argue with your point about the validation, but the chances that Epsilon had anything to do with implementing that Sears.com login page are virtually nil.
Google voids deleted email addresses. Probably good, since I've deleted 4 or 5 GMail/Google accounts.
1) Find random email spam list on internet
2) Claim it is the "FAMOUS" list from Epsilon
3) Sell to spammers @ premium rate
4) PROFIT !!!
Man: Well, what've you got? ...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam... ...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and spam.
Waitress: Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam;
Vikings: Spam spam spam spam...
Waitress:
Vikings: Spam! Lovely spam! Lovely spam!
Waitress:
Wife: Have you got anything without spam?
Waitress: Well, there's spam egg sausage and spam, that's not got much spam in it.
Wife: I don't want ANY spam!
Man: Why can't she have egg bacon spam and sausage?
Wife: THAT'S got spam in it!
Badges!?! We don't need no stinking badges!
Well we know the phishing attempts on PayPal might increase by .000000000000000000000000000000000000000000001%.
My really old email address gets about 50 (about a dozen unique) different PayPal phishing attempts *per day*.
I initially (even though I hate the bastards) did what I thought was the right thing and reported them, but after awhile it was like using a teaspoon to bail the water out of a sinking ship :)
If your school requires you to use the CSS financial aid application College Board (rather than FAFSA from the federal government), chances are you are in a wrong school, or you have too much assets that a little bit of ID theft shouldn't hurt. Heck, you may able to aggregate the loss as a result of ID theft and get that tax write off as a charitable expense (consult your tax attorney first), because who ever the nigga that cash in your identity must be on welfare. (For those of you don;t know, schools that require CSS application from college board are either ivy leagues or from the west coast. IF you getting in one of those, it is your civil duty to spread your trust fund around.)
Twitter: @dainsanefh
I refuse to give them my private information just to shave a few points off of my shopping bill. How much is your personal private information worth? Quite a lot, apparently...
Comment removed based on user account deletion
Nice catch on the front-end... now, what happens when you turn off Javascript? Do they use the same regex on the back-end? Do they check on the back-end?
Just curious, as I haven't had time to check for myself...
Kroger does have quite a bit, if you use their pharmacy, due to all the wonderful regulations.
Not saying that was part of the data they would send to a spam haus, but don't stick your head in the sand that they don't have a lot more data internally.
---- Booth was a patriot ----
If they have the email address and name of the associated company, phishing attacks may just be one way to use it. The could conceivably attempt to reset passwords at sites that let you do that with a security question (unlikely, given the time and effort required) or attempt to combine that data with password info stolen from a major email program and then reset passwords and steal them.
I'm a consultant - I convert gibberish into cash-flow.
My daughter would not be attending the high-quality, CSS-requiring educational institution she is today without a very hefty financial aid package from that school. Take your stupid and uninformed class warfare crap somewhere else, fella. I'm guessing you're just bitter that you weren't accepted into one of those institutions.
From TFA: "Citi also warned customers over Twitter about the incident"
So unless we're members of the twittering classes we're not deserving of notifications when a security breach occurs. Glad I'm not one of Citi's customers.
I still managed to register after all, and have bought a few tools on sale ...
Thereby rewarding them despite their obvious ineptitude.
Or you could have spent a little more, but given your sale (and personal information) to someone else.
Text of e-mail from Disney this morning:
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.
We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.
We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.
As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.
If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.
Sincerely,
Disney Destinations
Sun, April 3, 2011 8:02:42 AM
Important Information for Disney Destinations Email Recipients
From:
Disney Destinations
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.
We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.
We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.
As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.
If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.
Sincerely,
Disney Destinations
It's a little creepy how the securitylink page, linked to in the summary, asks you to give them your email address before you read the page...
A lot of email marketing companies provide "landing page" coding as well. Though you may be right in this case.
PocketPermissions Android Permission Guide
I got this one yesterday:
Dear New York & Company Customer,
Yesterday, we were informed by our email service provider that your
email address was exposed by unauthorized entry into their system. Our
email service provider deploys emails on our behalf to customers who
have opted into email based communications from us. We want to assure
you that the only information that was obtained was your name and/or
email address. Your account and any other personally identifiable
information were not at risk.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We also want to remind you that
we will never ask you for your personal information in an email.
We sincerely regret this has taken place, and we apologize for any
inconvenience this may have caused you. We take your privacy very
seriously, and we will continue to work diligently to protect your
personal information.
Please visit http://faq.nyandcompany.com/ for answers
to some frequently asked questions about this incident.
Sincerely,
New York & Company
You've received this message because you registered to receive
email from New York & Company. If you no longer wish to receive
email from us, or would like to edit your email preferences,
click here.
http://email.nyandcompany.com/p/NYandCompany/OptOut?EMAIL_ADDRESS=nyandcompany_orders@ecuadors.net&
Click here to view our Privacy Policy.
http://www.nyandcompany.com/nyco/company/privacy.jsp?&
New York & Company Corporate Office
450 W. 33rd Street
New York, NY 10001
And this one today:
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.
We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.
We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.
As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.
If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.
Sincerely,
Disney Destinations
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Dear TiVo Customer,
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.
Sincerely,
The TiVo Team
Actually, the signup.aspx is in an iFrame on Sears that is pulled from Epsilon.com. So yes, Epsilon is the coder of the crap. A simple series of Test cases and some Googleing could have fixed that.
I too hate that when you are browsing a site that got something wrong and you try to point out how to fix it, since you are a customer and would like it to work in your browser of choice, and the company totally blows you off. When somebody gives you that detailed of an explanation about your problem, you should listen to them since they probably know what they are talking about. At least give it a try.
Data miners could have a field day with all these email lists. They could do lots of correlations of list memberships and derive lots of personal info, from "just lists" of emails.
I checked Epsilon's website. There are no IT Security jobs posted. Wonder how long it will be before that changes.
if their security is as good as their programmers .... then we're in trouble
This reminds me of the old computer laws I had on a mug in the early '80s... If construction workers built buildings the same way that programmers built programs, the first woodpecker that came along would destroy civilization.
TiVo notified me today of the breach.
It got fixed the day the new regs took effect, up to that point they were minting money from that website. They had plenty of collections people, often not very smart, often it took a couple of tries to get a payment made.
All in all, a nightmare compared to any other vendor I used, and a blight on REI's customer service rep. When the chance came, I paid them off first and kept away.
So this morning I got this in my email...
I think it is only stupid evil companies that were using Epsilon. Litmus test.
Yes, Kroger might have more info, but it's not like someone could do something like record fake trust deeds and resell them with my pharmacy records.
Google voids deleted email addresses. Probably good, since I've deleted 4 or 5 GMail/Google accounts.
Well, that's good for them, but I had email before there was a Google, so what do I do?
Not that I care about my old college addresses or anything from that time but still, I wonder.
Please remember, Ameriprise will never ask you for personal or account information through email. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: anti.fraud@ampf.com.
There's a distinction between Disney Destinations and Disney.com and while there may ultimately be some shared infrastructure (though not much - they're handled by completely separate organizations within DIsney) I'm fairly certain this is not an example of that. I know that Epsilon isn't used to back the core registration system, so I'm going to take a guess and say that Epsilon comes into play when an e-commerce transaction happens - something frequent on sites like Disney Destinations, but disney.com itself has no e-commerce.
There are several MAJOR pieces of information missing from all the reports on this incident.
Mainly, the Brand (s)of Software involved.
Not the version, just the brand name.
Since 'Linux' was not mentioned, I would guess the same situation that exists in political coverage, is in play.
Anything 'negative' will not mention Microsoft. But, if any other OS is involved, 300 mentions with all the negatives, will occure in a 400 word article.
My bank uses 'Windows.'
They think Netscape 2.0 is a current browser.
They have no mention of Firefox in their documentation.
They tell me they are computer savvy.
BUT... they use Windows.
Want to bet that most of the systems involved in this problemuse Microsoft? (or ALL the systems do?)
After nyandcompany.com and disney I got an email from abebooks:
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
They must use a different one, I "forced" the bad password through, and it worked just fine (at least it did 8 months ago)
I got no notification but statement is on credit card site, which implies they got credit card e-mail address and names..I bet Lowes would pay a fortune for this list..
Some of you understand the software engineering of this a lot better than I do. Can, or how can, we prevent and deal with these crimes on the technical side? I'm a retired lawyer with medical and other privacy law expertise and this is just one of many areas where our legal system doesn't work except for the vrey rich criminals. If there is any advice you technical experts can give Congress while they are working on yet another computer privacy bill right now, please do so and please publish your advice, both in code etc. and in language Members of Congress, and those of us whose doctorates are not in math or computers can understand. These recurring breaches, ranging from hacking into supposedly protected stolen laptops to things like this, would probably not happen, or be as common, if we could and did dry up the money in and market for stolen personal data. I suspect nobody in government or either political party wants to really stop this. The companies that gather and sell personally identifiable information know that a lot of what they are buying from such thieves is not only stolen but is, or should be, protected by law. Most of us have to use Loyalty Cards, etc., which "give" us "savings" that come out of the stores having systematically overcharged us in the first place. Likewise coupons. On top of that, the best published data indicates that these stores charge more than others even after these "discounts." The stores know how much of each brand of what they sell, and their keeping records that identify individual customers for prescription medications, etc. and using, sharing, o selling this should be outlawed. Anyone with the buying records of customers of Kroger's pharmacies, college scholarship applicants, and others whose rights to privacy were apparently violated here, has power that nobody should be allowed to have. Of course it will be misused, either by the original holders or those who actually or allegedly stole it--or did they really buy it?--from them. Nobody ever gets busted when the academic and medical records of a generation of university students and faculty are, for some inexplicable reason, on a laptop computer that then somehow gets left behind somewhere and actually or allegedly stolen. If you gather up a large quantity of sewage, toxic chemical waste, plague virus, or the like, you are responsible for keeping it confined. Nobody is really held accountable for what happens to this stolen private personal data because the buyers are rich and rich people are extremely unlikely to get investigated and prosecuted, not to mention that nobody outside their dirty little market in personal data knows who has what, much less what is and isn't accurate, stolen, or being used for illegal purposes. Of course, if you steal a confidential file that incriminates the right police officers and politicians you're home free. I was a lawyer handling criminal defense, and representing a lot of incest survivors, when the geniuses at the local police department sold me the departments recently replaced, and un-erased much less formatted, hard drive.
Not to argue with your point about the validation, but the chances that Epsilon had anything to do with implementing that Sears.com login page are virtually nil.
Actually that login is an Epsilon page that is iFramed. Epsilon does more than spam. They are a full loyalty solutions company (I worked there for a while but didn't work on that password validation :) ). They run a LOT of the big businesses' loyalty programs (Citi Bank, Best Buy, Fedex, Hilton, American Express, etc.). They have mountains of data on just about everyone.
Dear Valued Best Buy Customer,
On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.
Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
I like that they turned it into an opportunity to plug Geek Squad as well.
I see no funny comments .. WHY??
From my Inbox;
Dear Valued Customer,
Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.
We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.
As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@rhi.com.
Sincerely,
Robert Half Customer Care
Robert Half Finance & Accounting
Robert Half Management Resources
Robert Half Legal
Robert Half Technology
The Creative Group
Visit AbeBooks.com
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.
I received emails from US Bank, Target, and Best Buy about this breach. a bit scary...
This is huge. Three of my credit card companies have weighed in as well as Best Buy, Target & Walgreens. They have more than our email addresses. They know what credit cards we have. The reason I know this beyond doubt is I've received three very official looking (logo and all) emails attempting to data mine personal information. More naive people may actually click these links which instantly gives the crooks even more information on you even if you don't fill anything out.
It's bad enough they breached our trust by not securing our data, but now they are lying about the extent of the damage and trying to make it look like it's no big deal.
We need to band together as consumers and make sure the resulting lawsuit is so expensive to them that it will assure better security for all such firms going forward.