In what could be the largest breach of private consumer information in history, e-mail marketing firm Epsilon disclosed on Friday, April 1 that hackers accessed names and e-mail addresses of its clients’ customers. Consumers who receive e-mail from many large retailers and financial firms – including JPMorgan Chase, Citibank, Barclay’s, and Capital One, among others – may have had their e-mail addresses exposed in the breach. Epsilon is a wholly owned subsidiary of Alliance Data Systems, which also counts its Retail Services business, as well as the various businesses under the LoyaltyOne umbrella (the Air Miles loyalty program in Canada, Direct Antidote, Precima, and Colloquy) as its main divisions. Epsilon “sends 40 billion marketing e-mails annually,” according to Finextra:
The hacked data appears to be limited to customer names and electronic contact addresses. No personal information such as credit cards or social security numbers was accessed.
In a statement, JPMorgan says: “We are advised by Epsilon that the files that were accessed did not include any customer financial information, but are actively investigating to confirm this.”
Either way, the incident is major embarrassment for Epsilon’s banking clients who must contact customers and warn them to be wary of future marketing communications and potential phishing threats.
Barclays Bank of Delaware, which was also caught up in the incident, posted this message to customers: “It is possible you may receive spam email messages as a result which could potentially ask you for additional information about your account. Please note, Barclays will never ask you in an email to verify sensitive information such as your full account number, Username, Password or Social Security Number. Therefore, any email which does so should be treated suspiciously, even if it looks like it comes from Barclays. As a reminder, we urge you to be cautious when opening links or attachments from unknown third parties.”
