Epsilon Security Breach Notifications
Published on 11th April 2011 by Brett M. Christensen
Reader enquiries indicate that many people have been receiving notifications via email or other means from various companies that inform them that their data may have been compromised in a recent security attack on giant marketing and email service company, Epsilon. Some readers have raised the concern that the notification messages may be phishing scams designed to steal personal and financial information.
The security breach described in the notification emails did take place. An April 7, 2011 report in The Australian notes
Epsilon's parent company, Alliance Data Systems, has confirmed the unauthorised entry into an email system on March 31 resulted in the loss of email addresses and customer names only.
According to the company, there was no loss of personally identifiable information, such as social security numbers, credit card details or customer account information.
It is understood the breach is under investigation by the US Secret Service and other agencies.
Epsilon said the incident affected around 2 per cent of its client base. The company claims to be the world's largest permission-based email marketing provider, sending over 40 billion emails annually on behalf of more than 2500 clients.
A number of companies affected by the breach have indeed been informing their customers about the security breach, sometimes via email. So far, the notification messages that have been submitted to me have been legitimate and represent the sending company's efforts to inform their customers about the security breach.
However, it is unclear exactly what the criminals responsible for the security attack intend to do with the data that they stole from Epsilon. Given that names and email addresses of customers were stolen in the attack, scammers may have the ability to send out "personalized" phishing scam emails that appeared to be addressed directly to customers and use their names. It is possible that scammers could send out messages purporting to be from affected companies that ask them, for example, to update their information due to the Epsilon security breach.
Thus, while many of the notification messages informing customers of the security breach are likely to be legitimate, recipients should certainly remain vigilant. Do not respond to any messages that ask you to provide personal or financial information, either by clicking a link or by opening an attached file. If you have any doubt about the legitimacy of a message, it would be wise to contact the company directly to check.
Epsilon email security breach widens
Phishing Scams - Anti-Phishing Information