Epsilon Breach Affects JPMorgan Chase, Capital One

Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?

Received one this morning.

[grub]

I received this today. Another case where I'm happy to use throw-away accounts at a domain I own.

Dear [me],

We have been informed by our email service provider, Epsilon, that your name
and email address have been exposed by unauthorized entry into their system.
Epsilon deploys emails on our behalf to our Reward Zone members. Click here
to read Epsilon's statement.

We have been assured by Epsilon that the only information that has been
exposed was your name and email address. A rigorous assessment by Epsilon
has determined that account details, passwords or any other personal
information were not at risk.

It is possible that you may receive spam email messages as a result and we
would advise you to be very cautious when opening links or attachments from
unknown senders. More information on spam and protecting yourself from email
fraud can be found here.

In keeping with security industry best practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.ca. If you receive
an email asking for personal information, delete it. It did not come from
Best Buy. The next scheduled email from Reward Zone about our Trade In Event
will arrive to your inbox on April 15, 2011.

Our service provider has reported this incident to the appropriate
authorities.

We regret this has taken place and any inconvenience this may have caused
you. We take your privacy very seriously, and we are working diligently to
fully investigate this situation and continue to protect your personal
information. If you have further concerns or questions please contact us:
1-866-BEST-BUY (238-7289) or customercare@bestbuycanada.ca.

Sincerely,

Angela Scardillo
Vice President of Marketing
Best Buy Canada

what good is an apology...

[Lead+Butthead]

if the sender isn't sincere? the notifications are sent because they're required by law, not because they're truly sorry in any shape or form.

Re:what good is an apology...

[Ambiguous+Coward]

Oh, come on now, let's be fair, they're all really quite sorry...

...sorry the public was made aware of the breach.

Wonderful.

[bobdotorg]

I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.

And yet they retained and leaked my email address.

Can I charge them a $10 monthly fee for spam removal?

Re:How does this happen?

[hedwards]

It's not so much a matter of money as it is one of logistics. Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. You still have to keep them secured, track opt outs and all the other stuff, handing it over to a 3rd party generally makes more sense. Plus, there's no guarantee that they'll manage any better.

If anything this is just evidence that Epsilon screwed up and wasn't adequately separating the data. Without more information it's hard to say what they did, but chances are they were storing the various mailing lists on the same database servers.

Capitalone, spends a lot of money protecting its customers from fraud, I know that because they're regularly on the phone with me when their computers pick up suspicious activities, and typically the account is locked within a minute pending authorization from me. I have a hard time believing that they'd spend all that money on security in that area and then go with a cut cost fly by night vendor for managing their emails. It's possible, but strikes me as odd.

One from Robelt Half

[wiredog]

They have my email because they are tech headhunters, and I was unemployed a few years back.

 

Dear Valued Customer,

Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@rhi.com.

Sincerely,

Robert Half Customer Care

Brave New Marketing Services

[AdamThor]

Arrrrg! Freaking Epsilons! Never send an Epsilon to do Alpha work, I guess.

Re:How does this happen?

[omnichad]

I wish it were that easy these days. You try maintaining an email server to send out marketing messages when you don't have SPF, Domainkeys, or SenderScore certification. Even sending out undeliverable email notices will get you put on an IP block list before you knew what happened. I could go on, but none of these things involve spammy keywords being in the message at all.