I've Been Mugged Blog

You have probably heard about it in the news. In perhaps the largest data breach ever, a marketing e-mail company, Epsilon, has exposed the e-mail addresses of millions of consumers. Basically, a hacker broke into the company's e-mail computers and stole millions of e-mail addresses. The breach highlights several implications for consumers.

In a press release on April 1st about the breach, Epsilon, a unit of Alliance Data Systems Corporation, said:

"On March 30th, an incident was detected where a subset* of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

Epsilon is one of several companies that companies outsource with to send out e-mail offers and deals. Epsilon sends out about 40 billion e-mail messages annually. This outsourcing (and the minimal amount of disclosure) is a fairly common business practice.

The list of Epsilon's clients include several brands you know: Capital One, Citibank, Best Buy, Disney, Home Shopping Network, JPMorgan Chase, Marriott Rewards, Ritz-Carlton Rewards, US Bank, Walgreen's, The College Board, Tivo, and others. On Monday, Epsilon released a very general update that:

"The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services."

Is that two percent of clients, or two percent of all clients' e-mail addresses? usually when a company is vague about details in a breach notice, things are bad. Plus, the investigation is not finished, so the two percent is probably an estimate and not a final number. I expected more details in the breach notice, including a description of Epsilon's data security actions to prevent a repeat data breach, and to find/prosecute the criminal(s).

You could say this breach notice is vagueness as usual.

This breach highlights several implications consumers should be aware of:

• Breach victims can expect to receive e-mail spam, where fraudsters and identity thieves send phishing e-mails to the stolen e-mail addresses to try to trick consumers into revealing financial information (e.g., credit card numbers, debit card numbers, Social Security numbers, bank account sign-in credentials). So, consumers should know how to recognize phishing e-mails.
• Many news stories mentioned the threat of "spear phishing," where fraudsters target e-mails at a specific company. Yes, that is a real risk. So, the bogus e-mails from spammers may be better crafted than usual and harder to spot.
• Companies regularly share consumers' personal information with other companies they do business with
• Website terms and privacy policies don't always disclose these other companies' names
• The recent trend is for advertising networks to collect more data about consumers. So, future breaches could expose more consumer data than e-mail addresses
• Everyone was lucky this time. The breach didn't include any personal financial or payment information
• Breach notices are often skimpy on details. that makes it tough for consumers to evaluate how security conscious the retailer (and the retailer's outsourced companies) is. Consumers must pressure their Congressional and State representatives for legislation that requires greater disclosures.
• If you are one of those newbie Facebook members with a profile page that is both open to the public and displays your e-mail address, then you are probably already receiving phishing e-mails and this Epsilon breach will just add to the volume in your e-mail inbox.

An I've Been Mugged reader shared the breach notice Walgreen's sent to its affected customers:

"From: Walgreens <[email protected]>
Subject: A Message from Walgreens
Date: Monday, April 4, 2011, 9:17 PM

Dear Valued Customer,

On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.

For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team"

That's all Walgreens has to say? How can Walgreens be confident when Epsilon isn't finished with its investigation? I expected Walgreens to say much more. Is Epsilon the best e-mail outsource vendor with data security? How is Walgreens working with Epsilon so this doesn't happen again? What updates about the breach investigation are Walgreens executives demanding? How many Walgreens customers were affected?

What's your view of this breach and the breach notices? Were you affected by the breach?

[Note: April 7 -- TechCrunch published the breach notice from The College Board. The CEO of Alliance Data apologized for the breach at its Epsilon unit.]