Companies Warn of Phishing Following E-Mail Breach

April 4, 2011 Updated: October 1, 2015

HACKERS: A woman looks at her e-mail on a computer screen in Washington. Last Friday, Dallas-based Epsilon Data Management, LLC, which handles e-mail based marketing for many Fortune 500 companies, said that hackers breached its security system and accessed millions of customers� names and e-mail addresses. (Nicholas Kamm/Getty Images)
HACKERS: A woman looks at her e-mail on a computer screen in Washington. Last Friday, Dallas-based Epsilon Data Management, LLC, which handles e-mail based marketing for many Fortune 500 companies, said that hackers breached its security system and accessed millions of customers� names and e-mail addresses. (Nicholas Kamm/Getty Images)
NEW YORK—Following last week’s security breach at online marketing firm Epsilon, a slew of companies are alerting their customers for possible phishing attacks and an increased level of e-mail spam.

Epsilon, which handles e-mail based marketing for numerous Fortune 500 companies, said last Friday that hackers breached its security system and accessed millions of customers’ names and e-mail addresses.

The breadth of the breach was revealed over the weekend and on Monday after business opened.

Firms discovered that the hackers may have gained access to the information of millions of customers at Epsilon’s clients, including Capital One, Marriott, Best Buy, JPMorgan Chase, Citibank, Walgreens, Barclays, among others.

“An incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s e-mail system,” the company said in a statement. “The information that was obtained was limited to e-mail addresses and/or customer names only.”

In response to the hacking, a “rigorous assessment” will be done to make sure the leaked information cannot be used for illegal activities. Epsilon is a subsidiary of Plano, Texas-based Alliance Data.

Millions of People Affected

Epsilon’s business clients began warning their customers of possible privacy intrusions such as an increased number of spam attacks, although all parties denied that any sensitive or confidential information—such as account numbers and balances—were stolen.

"Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties,” on-demand entertainment firm TiVo wrote in an e-mail to its customers.

U.S. banking giant Chase said in a notice to its customers, “Be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase's practice to request personal information by e-mail.” Chase is a unit of New York-based JPMorgan Chase & Co.

Similar notices were posted by Citibank, Best Buy, Walgreens, and other companies.

Reputational Risk

Analysts on Monday were cautious to condemn Alliance Data, Epsilon’s parent company and a member of the New York Stock Exchange.

“As we've noticed before, carelessness with e-mail addresses isn't a cardinal sin in the data leakage world—both TripAdvisor and Play.com have owned up recently to similar indiscretions, without any major loss of esteem,” said Paul Ducklin of security firm Sophos.

Others did not downplay the significance of the data breach, given the number of high-profile companies involved. At the very least, Epsilon’s reputation in the industry could be at stake.

"We think there is a significant possibility that Alliance Data will face monetary damages for the breach," Analyst Chris Brendler from Stifel Nicolaus said in an interview with Reuters. "Depending on Alliance Data's fault and response, Epsilon could face significant attrition."

“When it's all said and done, the Epsilon hack may be the largest name and e-mail address breach in the history of the Internet,” wrote Darlene Storm of ComputerWorld in a column.

For consumers, Sophos recommends that when one receives a suspicious e-mail, check that the domain name in the hyperlink matches the name of the vendor, and check to see that links have “https” designation.