Epsilon Interactive Breach the Fukushima of the Email Industry

By Neil Schwartzman
Neil Schwartzman

"Marketing as Usual? Not a chance." —Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs' mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing, since they have names, email addresses and who these users did business with, which makes the problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP and ISP/Receiver industries to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

"Epsilon has refused to provide additional details on what other brands may have been affected."Security Week

"SilverPop did not respond to requests for comment"Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

The list of breached companies

These financial institutions were affected by the breach:

As well, these marketing and retail companies have reportedly had their client email, names and in some cases, other information stolen:

  1. 1800Flowers.com
  2. AbeBooks (division of Amazon)
  3. Airmiles
  4. Beachbody
  5. Benefit Cosmetics
  6. Best Buy
  7. Best Buy Canada Reward Zone
  8. Brookstone
  9. City Market
  10. CollegeBoard
  11. Dillons
  12. Disney Destinations
  13. Eileen Fisher
  14. Ethan Allen
  15. Food 4 Less
  16. Fred Meyer
  17. Fry's
  18. Hilton HHonors
  19. Home Shopping Network
  20. Jay C
  21. King Soopers
  22. Krogers
  23. Lacoste
  24. L.L. Bean credit card
  25. Marks and Spencer
  26. Marriott Rewards (Update: Marriottt confirmed NO points totals were taken)
  27. McKinsey Quarterly
  28. New York & Company
  29. QFC
  30. Ralphs
  31. Red Roof Inns
  32. Ritz-Carlton (Update: Ritz-Carlton confirmed NO points totals were taken)
  33. Robert Half
  34. Smith's
  35. Soccer.com
  36. Target
  37. TiVo
  38. Verizon
  39. Viking River Cruises (unconfirmed)
  40. Walgreens (for the second time)

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. Visit the blog maintained by Neil Schwartzman here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Email, Law, Privacy, Spam


Seemingly *some* people have been contacted by Michele Neylon  –  Apr 05, 2011 1:18 AM PST

Seemingly *some* people have been contacted by the affected companies to warn them about the breach. I'm on several of these lists and am yet to receive any warnings, which I'm not overly impressed about.