Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Massive Breach at Epsilon Compromises Customer Lists of Major Brands

Major Breach at Epsilon, the World’s Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands – List Continues to Grow

Major Breach at Epsilon, the World’s Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands – List Continues to Grow

Epsilon Hacked -- Customer Email Lists Stolen[Update] – Due to the growing list of brands disclosing they’ve been compromised as a result of this breach, I’m going to go ahead and tag this as a massive breach. And I only expect it to get bigger as more announcements come out from Epsilon customers.

Last night we reported on a breach at marketing services provider, Epsilon, the world’s largest permission-based email marketing provider. Initially we wrote that the breach had affected Kroger, the nation’s largest traditional grocery retailer.

It turns out that Kroger is only one of many customers affected by the breach at Epsilon.

Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases.

SecurityWeek has been able to confirm that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands including the following:

• Kroger

• TiVo

• US Bank

Advertisement. Scroll to continue reading.

• JPMorgan Chase

• Capital One

• Citi

• Home Shopping Network (HSN) (added 4/3 @10:22am)

• Ameriprise Financial

• LL Bean Visa Card

• Lacoste

• AbeBooks

• Hilton Honors Program

• Dillons

• Fred Meyer

• Beachbody (Makers of TRX)

• TD Ameritrade

• Ethan Allen

• Eileen Fisher

• MoneyGram

• TIAA-CREF

• Verizon

• Marks & Spencer (UK)

• City Market

• Smith Brands

• McKinsey & Company

 • Ritz-Carlton Rewards

 • Marriott Rewards

• New York & Company

• Brookstone

• Walgreens (Again!)

• The College Board (added 4/3 @8:20am)

• Disney Destinations

• Best Buy

• Robert Half

• Target

• QFC

• bebe Stores

• Ralphs

• Fry’s

• 1-800-Flowers

• Red Roof Inn

• King Soopers

• Air Miles

• Eddie Bauer

• Scottrade

• Dell Australia

• Jay C

Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.

A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed:

We recently discovered that one of our third parties’ computer systems was tampered with. Tampering with our systems by an unauthorized person or persons is an illegal act and we reported this incident to a law enforcement agency who is currently investigating this matter. The unauthorized person(s) had access to email addresses and member point balances. They did not have access to member addresses, account logins and passwords, credit card information or other personal data,” the spokesperson wrote in an email.

Correction: The Marriott Rewards spokesperson contacted us on Sunday to correct their initial statement, saying that member point balances were not disclosed afterall.

Citi also warned customers over Twitter about the incident, Tweeting the following: “Please be careful of phishing scams via email.  Statement from Citi for our valued Customers regarding Epsilon & email” with a link to the following statement: “Because e-mail addresses can be used for “phishing” attacks, we want to remind our customers that Citi uses an Email Security Zone in all our email to help them recognize that the email was sent by us. Customers should check the Email Security Zone to verify that email they have received is from Citi and reduce the risk of personal information being ‘phished.‘”

As the initial disclosure by Epsilon occurred late in the day on Friday, I expect several more brands to be announcing that they’ve been affected by the breach as well. When asked to comment, Epsilon has refused to provide additional details on what other brands may have been affected.

Related Reading: An Inside Look at Hacker Business Models

Read More in SecurityWeek’s Cybercrime Section

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.