Slashdot Mirror

← Back to Stories (view on slashdot.org)

Epsilon Breach Affects JPMorgan Chase, Capital One

Posted by CmdrTaco on from the sorry-bout-that-my-bad dept.

Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?

21 of 180 comments (clear)

  1. Received one this morning. by grub · · Score: 5, Interesting
    I received this today. Another case where I'm happy to use throw-away accounts at a domain I own.

    Dear [me],

    We have been informed by our email service provider, Epsilon, that your name
    and email address have been exposed by unauthorized entry into their system.
    Epsilon deploys emails on our behalf to our Reward Zone members. Click here
    to read Epsilon's statement.

    We have been assured by Epsilon that the only information that has been
    exposed was your name and email address. A rigorous assessment by Epsilon
    has determined that account details, passwords or any other personal
    information were not at risk.

    It is possible that you may receive spam email messages as a result and we
    would advise you to be very cautious when opening links or attachments from
    unknown senders. More information on spam and protecting yourself from email
    fraud can be found here.

    In keeping with security industry best practices, Best Buy will never ask
    you to provide or confirm any information, including credit card numbers,
    unless you are on our secure e-commerce site, www.bestbuy.ca. If you receive
    an email asking for personal information, delete it. It did not come from
    Best Buy. The next scheduled email from Reward Zone about our Trade In Event
    will arrive to your inbox on April 15, 2011.

    Our service provider has reported this incident to the appropriate
    authorities.

    We regret this has taken place and any inconvenience this may have caused
    you. We take your privacy very seriously, and we are working diligently to
    fully investigate this situation and continue to protect your personal
    information. If you have further concerns or questions please contact us:
    1-866-BEST-BUY (238-7289) or customercare@bestbuycanada.ca.

    Sincerely,

    Angela Scardillo
    Vice President of Marketing
    Best Buy Canada

    --
    Trolling is a art,
    1. Re:Received one this morning. by cdrudge · · Score: 2

      From Best Buy's Privacy Policy:

      Uses of Information
      - Best Buy does not sell, rent or trade your personal information to third parties.
      - We use information about you to fulfill your requests, administer various programs, provide services, and for other business purposes.
      - Your personal information may be shared with current or future Best Buy entities or subsidiaries. We may also use the information you provide to send you marketing communications.
      - In limited circumstances, Best Buy may need to share your information with certain third parties to perform services on our behalf.

      The last point applies specifically to the issue at hand, and they haven't broken their written policy.

    2. Re:Received one this morning. by dgatwood · · Score: 2

      Oddly enough, I didn't. Guess they've lost my contact info.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. None by hedwards · · Score: 2

    I haven't gotten any yet, although I have done business with a few. If anything this is a reminder that services like Sneakemail exist for a reason.

  3. what good is an apology... by Lead+Butthead · · Score: 3, Insightful

    if the sender isn't sincere? the notifications are sent because they're required by law, not because they're truly sorry in any shape or form.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:what good is an apology... by Ambiguous+Coward · · Score: 3, Informative

      Oh, come on now, let's be fair, they're all really quite sorry...

      ...sorry the public was made aware of the breach.

      --
      Their may be a grammatical error, misspeling, or evn a typo in this post.
    2. Re:what good is an apology... by mitler · · Score: 2

      You're right. It's probably better that he not take the time to warn her that their email address may have been compromised, even though she may not work in the IT industry and not follow this type of news. At least she will feel like a strong independent woman as she clicks on that fake PayPal account verification link.

  4. How does this happen? by jaymz666 · · Score: 2

    I have received these from Best Buy and TiVo so far.

    Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?

    1. Re:How does this happen? by hedwards · · Score: 4, Interesting

      It's not so much a matter of money as it is one of logistics. Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. You still have to keep them secured, track opt outs and all the other stuff, handing it over to a 3rd party generally makes more sense. Plus, there's no guarantee that they'll manage any better.

      If anything this is just evidence that Epsilon screwed up and wasn't adequately separating the data. Without more information it's hard to say what they did, but chances are they were storing the various mailing lists on the same database servers.

      Capitalone, spends a lot of money protecting its customers from fraud, I know that because they're regularly on the phone with me when their computers pick up suspicious activities, and typically the account is locked within a minute pending authorization from me. I have a hard time believing that they'd spend all that money on security in that area and then go with a cut cost fly by night vendor for managing their emails. It's possible, but strikes me as odd.

    2. Re:How does this happen? by compro01 · · Score: 2

      Epsilon's service includes dodging anti-spam measures, which would be difficult to do if it's not your primary business.

      --
      upon the advice of my lawyer, i have no sig at this time
    3. Re:How does this happen? by omnichad · · Score: 3, Interesting

      I wish it were that easy these days. You try maintaining an email server to send out marketing messages when you don't have SPF, Domainkeys, or SenderScore certification. Even sending out undeliverable email notices will get you put on an IP block list before you knew what happened. I could go on, but none of these things involve spammy keywords being in the message at all.

    4. Re:How does this happen? by compro01 · · Score: 2

      It's not the message content, but rather the traffic patterns. Lots of email providers use dumb systems like "if a particular mailserver sends me more than X messages at once, increase their spam probability by Y" and similar. Epsilon has that data, either from the ISPs or from their own testing and uses that to get around those measures.

      --
      upon the advice of my lawyer, i have no sig at this time
    5. Re:How does this happen? by Culture20 · · Score: 2

      I got one of these notices from my CC company, and it made me really mad when I thought about how I have *never* received an email from them that wasn't an attempt to sell a balance transfer or other undesired service.

      You have now.

  5. US Bank by jmanforever · · Score: 2

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
    http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

    In addition, if you receive any suspicious looking emails, please tell us immediately.
    Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

    The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

  6. Wonderful. by bobdotorg · · Score: 4, Interesting

    I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.

    And yet they retained and leaked my email address.

    Can I charge them a $10 monthly fee for spam removal?

    --
    __ Someday, but not this morning, I'll finally learn to use the preview button.
  7. Re:Not a lot... by Anonymous Coward · · Score: 2, Funny

    we are spam twins!

  8. One from Robelt Half by wiredog · · Score: 3, Informative

    They have my email because they are tech headhunters, and I was unemployed a few years back.

     

    Dear Valued Customer,

    Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

    We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

    Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

    As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@rhi.com.

    Sincerely,

    Robert Half Customer Care

    --

    Best Slashdot Co
  9. I wonder... by jaymz666 · · Score: 2

    Did they use Epsilon to send out the security alert warning emails?

    >Received: from
    > by pimta03.epsiloninteractive.com

    Looks like it.... Hmmm... what does that say about it?

  10. Brave New Marketing Services by AdamThor · · Score: 4, Funny

    Arrrrg! Freaking Epsilons! Never send an Epsilon to do Alpha work, I guess.

    --
    -- "Oh. This guy again."
  11. Re:List of victim companies by DarkOx · · Score: 2

    They got more then just Names and E-mail address.
    The address they got probably have a much higher validity rate than other sources.
    They know which list you were on and can probably do some joins to get figure out if you were on multiple lists.

    That makes for some big wins for phising. If I am phishing I and I send you a mail about your Visa card chances are you have one and with a lots of luck you just might fall for it. If I send you a mail about your LL Bean Visa card well not nearly so many people have those and you are probably at least a little more likely to bite fall for it as its very specific and I can customize the thing with your name spelled just as you have it on the account.

       

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  12. Re:List of victim companies by jank1887 · · Score: 2

    If nothing else, they now probably have a list of known live (mostly) email addresses tied to a valid company. I get tons of 'you have twitter notifications' spam, even though I don't use Twitter. Easy to ignore. But if I started getting phishing spam acting like my credit union, using my properly spelled name and email, it would be a different story. And, this includes grandma and her bank account, too. Go ahead, tell grandma to check the message source before she clicks a link to her bank that she actually remembers signing up for. See how far that gets ya.