Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Massive Breach at Epsilon Compromises Customer Lists of Major Brands

Major Breach at Epsilon, the World’s Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands – List Continues to Grow

Major Breach at Epsilon, the World’s Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands – List Continues to Grow

Epsilon Hacked -- Customer Email Lists Stolen[Update] – Due to the growing list of brands disclosing they’ve been compromised as a result of this breach, I’m going to go ahead and tag this as a massive breach. And I only expect it to get bigger as more announcements come out from Epsilon customers.

Last night we reported on a breach at marketing services provider, Epsilon, the world’s largest permission-based email marketing provider. Initially we wrote that the breach had affected Kroger, the nation’s largest traditional grocery retailer.

It turns out that Kroger is only one of many customers affected by the breach at Epsilon.

Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases.

SecurityWeek has been able to confirm that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands including the following:

• Kroger

• TiVo

• US Bank

• JPMorgan Chase

• Capital One

• Citi

• Home Shopping Network (HSN) (added 4/3 @10:22am)

• Ameriprise Financial

• LL Bean Visa Card

• Lacoste

• AbeBooks

• Hilton Honors Program

• Dillons

• Fred Meyer

• Beachbody (Makers of TRX)

• TD Ameritrade

• Ethan Allen

• Eileen Fisher

• MoneyGram


• Verizon

• Marks & Spencer (UK)

• City Market

• Smith Brands

• McKinsey & Company

 • Ritz-Carlton Rewards

 • Marriott Rewards

• New York & Company

• Brookstone

• Walgreens (Again!)

• The College Board (added 4/3 @8:20am)

• Disney Destinations

• Best Buy

• Robert Half

• Target


• bebe Stores

• Ralphs

• Fry’s

• 1-800-Flowers

• Red Roof Inn

• King Soopers

• Air Miles

• Eddie Bauer

• Scottrade

• Dell Australia

• Jay C

Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.

A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed:

We recently discovered that one of our third parties’ computer systems was tampered with. Tampering with our systems by an unauthorized person or persons is an illegal act and we reported this incident to a law enforcement agency who is currently investigating this matter. The unauthorized person(s) had access to email addresses and member point balances. They did not have access to member addresses, account logins and passwords, credit card information or other personal data,” the spokesperson wrote in an email.

Correction: The Marriott Rewards spokesperson contacted us on Sunday to correct their initial statement, saying that member point balances were not disclosed afterall.

Citi also warned customers over Twitter about the incident, Tweeting the following: “Please be careful of phishing scams via email.  Statement from Citi for our valued Customers regarding Epsilon & email” with a link to the following statement: “Because e-mail addresses can be used for “phishing” attacks, we want to remind our customers that Citi uses an Email Security Zone in all our email to help them recognize that the email was sent by us. Customers should check the Email Security Zone to verify that email they have received is from Citi and reduce the risk of personal information being ‘phished.‘”

As the initial disclosure by Epsilon occurred late in the day on Friday, I expect several more brands to be announcing that they’ve been affected by the breach as well. When asked to comment, Epsilon has refused to provide additional details on what other brands may have been affected.

Related Reading: An Inside Look at Hacker Business Models

Read More in SecurityWeek’s Cybercrime Section

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption