Epsilon: Biggest Breach Ever?

Major Banks, Merchants Impacted by Marketing Company Hack
Epsilon: Biggest Breach Ever?

The list of banking institutions and retailers affected by the Epsilon e-mail breach continues to grow.

See Also: Cybersecurity for the SMB: Steps to Improve Defenses on a Smaller Scale

So far, Citi, Chase, U.S. Bank, Capital One, Barclays Bank of Delaware, Verizon, Walgreens, Visa, Kroger, Marriott International, Ritz-Carlton Rewards, Brookstone, New York & Co., TiVo, HSN and L.L. Bean are among the confirmed entities to be hit by what some observers say could be one of the biggest data breaches to date.

Epsilon, an online marketing unit of Alliance Data Systems Corp., announced on April 1 that an outside intrusion had hacked into some of its customer files. Epsilon sends e-mail campaigns and offers to consumers who register for a company's website or who give their e-mail addresses while shopping. Epsilon sends more than 40 billion e-mails annually and also runs loyalty programs for Citi and Chase credit card users. Epsilon's databases house consumer information cybercriminals could use for targeted phishing, better known as spear phishing, attacks.

In a brief statement, Epsilon says it detected a breach on March 30 during which "clients' customer data were exposed by an unauthorized entry into Epsilon's e-mail system."

Subsequently, Chase and U.S. Bank both issued statements last week telling customers they should be wary of phishy e-mails.

'Biggest Breach We Have Ever Seen'

Epsilon says it does not suspect any financial information has been compromised. But it's likely just a matter of time before personal and financial information is exploited, says Neil Schwartzman, founder and chief security specialist at Montreal-based CASL Consulting.

"It is the biggest breach we have ever seen," Schwartzman says. "And to say no financial information has been stolen is, well, understating the massive breach and concern."

To date, the largest known incident is the Heartland Payment Systems data breach, which impacted an estimated 130 million payment cards.

Though still too early to confirm the depth and breadth of the Epsilon breach, Schwartzman says he expects the list of affected companies and institutions to continue to grow. He also says Epsilon should be held to the flames for not adequately protecting sensitive consumer information. "Some of the most fundamental steps of protecting consumer data were not taken here," he says.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.