SELECTED NEWS
- Filter by Company
- NAV
- AppTap
- Ember
- EveryScape
- Fashion Playtes
- GlobalLogic
- HealthWarehouse.com
- Invincea
- Koofers
- Lumidigm
- Luminus
- Maptuit
- Moda Operandi
- Nantero
- Of Course Meals
- Pine Labs
- Pontiflex
- PulsePoint
- Qliance
- RemitPro
- Scoutmob
- SepSensor
- SnappCloud
- Solve Media
- Spotflux
- Stitcher
- Tap 'n Tap
- Truveris, Inc.
- TVU Networks
- Wiggio
- Yieldbot
Citigroup, Walgreen, New York & Co. Warn of E-Mail Breaches
April 5 (Bloomberg) — Citigroup Inc. and US Bancorp are among the companies warning tens of thousands of customers to beware of cyber thieves who stole names and e-mail addresses from a company that markets their products.
The breach occurred at Alliance Data System Corp.’s Epsilon Data Management LLC, a Dallas-based provider of e-mail marketing services that says it sends out more than 40 billion e-mails a year on behalf of more than 600 companies. Epsilon said the breach occurred March 30.
JP Morgan Chase & Co., Best Buy Co., Walgreen Co., New York & Co. and at least 14 others have reported their customers’ data was stolen, according to statements by those companies and by the Connecticut Attorney General’s office.
The theft comes after similar attacks on marketing companies’ e-mail databanks, some of which were followed by attempts to coax more valuable information from customers or target their computers with data scanning software, cyber security experts said.
“Even if the only data taken in this breach are e-mail addresses, it still poses a significant risk to consumers in terms of phishing scams and other types of Internet fraud,” William Rubenstein, Connecticut’s consumer protection commissioner, said in a statement yesterday.
Epsilon Letter
Target Corp., the second-largest discount retailer in the U.S., today was the latest company to disclose that e-mail addresses used for promotions and marketing were exposed by unauthorized entry into Epsilon. Epsilon assured the retailer that “no personally identifiable information, such as names and credit card information was compromised,” Target spokeswoman Amy Reilly said in an e-mailed statement.
Connecticut Attorney General George Jepsen sent a letter to Epsilon yesterday seeking more information about how the breach occurred. He said he expected the company to help consumers who may be harmed by phishing scams.
At least 18 other companies have reported incidents. Walgreen, the largest U.S. drugstore chain, and New York & Co., a specialty apparel retailer, disclosed the accessing of the data over the weekend. The information was gained by a person outside Epsilon, according to separate statements.
Investigating Incidents
The latest disclosures said no personal identification information or credit card details were compromised. JPMorgan Chase and Kroger Co. began issuing warnings April 1, while Capital One Financial Corp. and TiVo Inc. issued statements April 3. All said they are investigating the incidents.
E-mail addresses aren’t considered sensitive information by state laws that require automatic notification of data breaches, according to Marc Zwillinger, a Washington attorney who specializes in cyber-related law.
Anup Ghosh, founder of the Fairfax, Virginia cyber security firm Invincea Inc., said the e-mails could be used as building blocks for more sophisticated attacks. By posing as a trusted institution, the thieves could trick users into downloading software that can copy bank account numbers and passwords directly from the memory of personal computers, he said.
Zwillinger said that even if that happens, it is unlikely that customers could hold Epsilon liable for the loss of the data.
“Many people make their e-mail addresses fairly well known and give them to a lot of marketers,” said Zwillinger, a partner at Zwillinger Genetski LLP. “It is hard to see direct liability for Epsilon in this case.”
Potential Liability
Epsilon bills itself as the largest “permission-based” e- mail marketer in the world, with more than $613 million in revenue in 2010. Twenty-five percent of the company’s revenue comes from the company’s 10 largest clients, according to company filings.
Epsilon’s biggest potential liability may come from those or other clients, Zwillinger said. Companies who share their information often have contracts that require the data be kept safe, and Epsilon could be sued if the marketer had weak security or was careless, he said.
Barclays Plc’s U.S. payments business, Barclaycard US, said it began notifying customers on April 3 and is “reminding customers about how to manage their e-mail address securely,” said Kevin Sullivan, a Barclays spokesman.
Marriott International Inc., the largest U.S. hotel chain, and Hilton Worldwide, which is owned by Blackstone Group LP, were also affected by the data breach.
—With assistance from Greg Farrell and Danielle Kucera in New York and Sara Forden in Washington. Editors: Peter Blumberg, Michael Hytha
To contact the reporters on this story: Michael Riley in Washington at michaelriley@bloomberg.net; Dan Hart in Washington at dahart@bloomberg.net.
To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net
