Major Breach at Epsilon, the World's Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands - List Continues to Grow

[Update] - Due to the growing list of brands disclosing they've been compromised as a result of this breach, I’m going to go ahead and tag this as a massive breach. And I only expect it to get bigger as more announcements come out from Epsilon customers.

Last night we reported on a breach at marketing services provider, Epsilon, the world’s largest permission-based email marketing provider. Initially we wrote that the breach had affected Kroger, the nation's largest traditional grocery retailer.

It turns out that Kroger is only one of many customers affected by the breach at Epsilon.

Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases.

SecurityWeek has been able to confirm that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands including the following:

• Kroger • TiVo • US Bank • JPMorgan Chase • Capital One • Citi • Home Shopping Network (HSN) (added 4/3 @10:22am) • Ameriprise Financial • LL Bean Visa Card • Lacoste • AbeBooks • Hilton Honors Program • Dillons • Fred Meyer • Beachbody (Makers of TRX) • TD Ameritrade • Ethan Allen • Eileen Fisher • MoneyGram • TIAA-CREF • Verizon • Marks & Spencer (UK) • City Market • Smith Brands

• McKinsey & Company • Ritz-Carlton Rewards • Marriott Rewards • New York & Company • Brookstone • Walgreens (Again!) • The College Board (added 4/3 @8:20am) • Disney Destinations • Best Buy • Robert Half

• Target • QFC • bebe Stores

• Ralphs • Fry's • 1-800-Flowers • Red Roof Inn • King Soopers • Air Miles • Eddie Bauer • Scottrade • Dell Australia • Jay C



Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.

A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed:

"We recently discovered that one of our third parties’ computer systems was tampered with. Tampering with our systems by an unauthorized person or persons is an illegal act and we reported this incident to a law enforcement agency who is currently investigating this matter. The unauthorized person(s) had access to email addresses and member point balances. They did not have access to member addresses, account logins and passwords, credit card information or other personal data," the spokesperson wrote in an email. Correction: The Marriott Rewards spokesperson contacted us on Sunday to correct their initial statement, saying that member point balances were not disclosed afterall.

Citi also warned customers over Twitter about the incident, Tweeting the following: "Please be careful of phishing scams via email. Statement from Citi for our valued Customers regarding Epsilon & email" with a link to the following statement: "Because e-mail addresses can be used for "phishing" attacks, we want to remind our customers that Citi uses an Email Security Zone in all our email to help them recognize that the email was sent by us. Customers should check the Email Security Zone to verify that email they have received is from Citi and reduce the risk of personal information being 'phished.'"

As the initial disclosure by Epsilon occurred late in the day on Friday, I expect several more brands to be announcing that they’ve been affected by the breach as well. When asked to comment, Epsilon has refused to provide additional details on what other brands may have been affected.

Related Reading: An Inside Look at Hacker Business Models

Read More in SecurityWeek's Cybercrime Section