Forgot your password?
typodupeerror
Crime Security IT Your Rights Online

Epsilon Breach Affects JPMorgan Chase, Capital One 180

Posted by CmdrTaco
from the sorry-bout-that-my-bad dept.
Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?
This discussion has been archived. No new comments can be posted.

Epsilon Breach Affects JPMorgan Chase, Capital One

Comments Filter:
  • by grub (11606) <slashdot@grub.net> on Monday April 04, 2011 @12:38PM (#35709438) Homepage Journal
    I received this today. Another case where I'm happy to use throw-away accounts at a domain I own.

    Dear [me],

    We have been informed by our email service provider, Epsilon, that your name
    and email address have been exposed by unauthorized entry into their system.
    Epsilon deploys emails on our behalf to our Reward Zone members. Click here
    to read Epsilon's statement.

    We have been assured by Epsilon that the only information that has been
    exposed was your name and email address. A rigorous assessment by Epsilon
    has determined that account details, passwords or any other personal
    information were not at risk.

    It is possible that you may receive spam email messages as a result and we
    would advise you to be very cautious when opening links or attachments from
    unknown senders. More information on spam and protecting yourself from email
    fraud can be found here.

    In keeping with security industry best practices, Best Buy will never ask
    you to provide or confirm any information, including credit card numbers,
    unless you are on our secure e-commerce site, www.bestbuy.ca. If you receive
    an email asking for personal information, delete it. It did not come from
    Best Buy. The next scheduled email from Reward Zone about our Trade In Event
    will arrive to your inbox on April 15, 2011.

    Our service provider has reported this incident to the appropriate
    authorities.

    We regret this has taken place and any inconvenience this may have caused
    you. We take your privacy very seriously, and we are working diligently to
    fully investigate this situation and continue to protect your personal
    information. If you have further concerns or questions please contact us:
    1-866-BEST-BUY (238-7289) or customercare@bestbuycanada.ca.

    Sincerely,

    Angela Scardillo
    Vice President of Marketing
    Best Buy Canada

    • by O(+inf) (2033618)
      Ditto - the only one seen so far was from Best Buy.
    • by gfreeman (456642)

      Yup, I had one from TiVo.

    • I'm certain to receive at least one, which really does little to console me after the years of being spammed by the "legit" holders of my email addresses. This is why we have Gmail junk bucket accounts...

      "Why, yes! I do have an email address for your bulletins and offers, it's [...]@gmail.com! (which I check once every blue moon or so)"

    • You don't perchance happen to have the email you sent them granting them permission to release your email address on to Epsilon and/or any other subcontractor/partnered company which fancy placed within their heads? I can only presume that ni private company would be do dishonourable as to throw your or anyone else's email address about like corporate confetti paper without your explicit written permission. Perish the thought!

      • by omnichad (1198475)

        You never signed anything to allow them to hire employees to send you these messages either. They have to pay somebody to do it. Where's the legal requirement that you can't hire outside your own corporation without permission?

      • by cdrudge (68377)

        From Best Buy's Privacy Policy [bestbuy.com]:

        Uses of Information
        - Best Buy does not sell, rent or trade your personal information to third parties.
        - We use information about you to fulfill your requests, administer various programs, provide services, and for other business purposes.
        - Your personal information may be shared with current or future Best Buy entities or subsidiaries. We may also use the information you provide to send you marketing communications.
        - In limited circumstances, Best Buy may need to share your in

    • Only one so far

  • by hedwards (940851) on Monday April 04, 2011 @12:41PM (#35709458)

    I haven't gotten any yet, although I have done business with a few. If anything this is a reminder that services like Sneakemail [sneakemail.com] exist for a reason.

  • by Lead Butthead (321013) on Monday April 04, 2011 @12:42PM (#35709478) Journal

    if the sender isn't sincere? the notifications are sent because they're required by law, not because they're truly sorry in any shape or form.

    • None whatsoever, of course, except to let you know to be more vigilant than usual because your PII got pwned on their watch.

      I work in anti-phishing. The weeks ahead should be interesting. Our bank was on the list of those pwned. Gotta warn my wife to be especially vigilant of phishing.

    • by Ambiguous Coward (205751) on Monday April 04, 2011 @01:09PM (#35709774) Homepage

      Oh, come on now, let's be fair, they're all really quite sorry...

      ...sorry the public was made aware of the breach.

      • Oh, come on now, let's be fair, they're all really quite sorry...

        ...sorry the public was made aware of the breach.

        Don't forget, they also "regret this has taken place" in the public eye and "are working diligently... and continue to protect your personal information" by sharing your info with Experian, TransUnion, Equifax, and ChoicePoint every month; along with the occasional publicized data breach. So there you have it, a sorry, a regret, and a things will continue. You can go back to using your accounts and rest assured they are as safe as they ever were. Whatever that means.

        Whenever you or I lose a company laptop,

    • by Anonymous Coward

      If you ever expect a corporation to "be sorry" or truely remorse then that's the problem. They cant, they are NOT people.

      • Re: (Score:1, Informative)

        by Anonymous Coward

        the supreme court disagrees

    • It is useful to let you know that your information has been compromised so you can take any appropriate action. The apology is just extra words, not the purpose of the communication.

    • When someone asks you "how are you?", you know, just like everybody else, that the question is not sincere. Both you and the questioner expect an answer along the lines of "I'm fine", even if you're on your death bed. Both the question and the answer are merely part of the social protocol; give a token, get a token. It may seem pretty dumb, but it has worked just fine for centuries, and heck, without empty chit-chat what would people talk about?

  • So far, best buy and robert half technology.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      we are spam twins!

    • by Svartalf (2997)

      Ahhh... But the banks will putz and futz around before disclosing that they pooched this. (And they did...they outsourced this to a third party which doesn't have the same IT security requirements THEY have...) It's bad for business for to own up to this sort of thing- and they'll put it off until the last possible moment.

  • by jaymz666 (34050) on Monday April 04, 2011 @12:44PM (#35709500)

    I have received these from Best Buy and TiVo so far.

    Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?

    • Re: (Score:2, Informative)

      by jaymz666 (34050)

      TiVo® Service Announcement

      Dear TiVo Customer,

      Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.

      We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information we

    • by hedwards (940851) on Monday April 04, 2011 @12:51PM (#35709580)

      It's not so much a matter of money as it is one of logistics. Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. You still have to keep them secured, track opt outs and all the other stuff, handing it over to a 3rd party generally makes more sense. Plus, there's no guarantee that they'll manage any better.

      If anything this is just evidence that Epsilon screwed up and wasn't adequately separating the data. Without more information it's hard to say what they did, but chances are they were storing the various mailing lists on the same database servers.

      Capitalone, spends a lot of money protecting its customers from fraud, I know that because they're regularly on the phone with me when their computers pick up suspicious activities, and typically the account is locked within a minute pending authorization from me. I have a hard time believing that they'd spend all that money on security in that area and then go with a cut cost fly by night vendor for managing their emails. It's possible, but strikes me as odd.

      • by himself (66589)

        It was written, "Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. "

        Allow me to offer a new alternative: search your corporate soul and decide whether the email you're sending is really that important.

        I got one of these notices from my CC company, and it made me really mad when I thought about how I have *never* received an email from them that wasn't an attempt to sell a balance transfer or other undesired service. Ugh.

        • by Culture20 (968837)

          I got one of these notices from my CC company, and it made me really mad when I thought about how I have *never* received an email from them that wasn't an attempt to sell a balance transfer or other undesired service.

          You have now.

    • by compro01 (777531)

      Epsilon's service includes dodging anti-spam measures, which would be difficult to do if it's not your primary business.

      • by jaymz666 (34050)

        I guess sending less spammy messages would be too difficult a choice to make

        • by omnichad (1198475) on Monday April 04, 2011 @02:07PM (#35710742) Homepage

          I wish it were that easy these days. You try maintaining an email server to send out marketing messages when you don't have SPF, Domainkeys, or SenderScore certification. Even sending out undeliverable email notices will get you put on an IP block list before you knew what happened. I could go on, but none of these things involve spammy keywords being in the message at all.

          • by omnichad (1198475)

            Even sending out undeliverable email notices

            I meant to say "even if your server is configured to send out undeliverable email notices when emails are received for invalid addresses."

        • by compro01 (777531)

          It's not the message content, but rather the traffic patterns. Lots of email providers use dumb systems like "if a particular mailserver sends me more than X messages at once, increase their spam probability by Y" and similar. Epsilon has that data, either from the ISPs or from their own testing and uses that to get around those measures.

    • Re:How does this happen?

      I have received these from Best Buy and TiVo so far.

      Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?

      Cut costs, take lowest bidder, require no proof of secure measures in place or review of procedures - it's not always incompetence by the peons who build the systems, usually it's incompetence and avarice by those who remove or never hire the sort of positions which oversee data security and integrity.

    • by Rich0 (548339)

      Simple - there is no reason not to.

      What are you going to do - not do business with any of the 100 companies that were compromised? All of their competitors were compromised as well.

      It is like complaining about SMS prices on US cell carriers - as long as everybody offers lousy service and the FTC refuses to regulate, customers get to choose between various levels of crappiness...

  • by jmanforever (603829) <jmanforeverNO@SPAMrockroll.org> on Monday April 04, 2011 @12:45PM (#35709508)

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
    http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm [usbank.com]

    In addition, if you receive any suspicious looking emails, please tell us immediately.
    Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

    The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

    • by HTH NE1 (675604)

      Dear valued U.S. Bank customer,

      Thank you for publicly confirming that you are a customer of U.S. Bank. Your Slashdot ID and pseudonym will now be added to our data mine for association to the other information we have on file, as well as your past posting history to better profile you and your interests.

      Epsilon

      Really, people? Do you know what you're doing when you post these? You're leaking more information about yourself and exposing another on-line identity to being known and associated by Big Data. Are you certain the precise phrasing of the letter you received is not unique to you, or even came from the institution it proclaims to be?

      • Are you certain the precise phrasing of the letter you received is not unique to you, or even came from the institution it proclaims to be?

        There is such a thing as unhealthy paranoia, sir. As another of US Bank's customers, I can confirm that the phrasing is identical. But who knows? Maybe there's some secret brainwave scanner encoded into the text which transmits the thoughts of anyone reading it back to US Bank's headquarters located in the heart of an active volcano.

      • by tyrione (134248)
        It's not unique. That is US Bank's direct form response.
    • by Svartalf (2997)

      Now that's how a Bank should be handling this fiasco on the customer facing side. One wonders if they'll audit their suppliers a little better and more often.

    • I got the same email. Ironically, Thunderbird flagged it as a potential scam. Heh.

  • Called the company to report a phishing attempt and they said no, it was legit.
  • I received two this morning. Best Buy and Robert Half. I'm sure there will be more coming. And I wonder what the impact will be. Really, the spam blocker hardware and software technology really do a decent job of reducing the trash.
    • I received two this morning. Best Buy and Robert Half. I'm sure there will be more coming. And I wonder what the impact will be. Really, the spam blocker hardware and software technology really do a decent job of reducing the trash.

      That's an interesting point. It's not like spammers have a lack of email addresses. Most spam to mine -- like yours -- is blocked by spam blockers at the POP level, not because my primary email address isn't already out there.

      So were "they" after something more than just a collection of addresses they could have obtained in less dramatic ways? I have to suppose that more than just addresses were lost, because otherwise, what's the point?

      At first I thought maybe they wanted more up-to-date and valid informat

      • by DarkOx (621550)

        They got more then just Names and E-mail address.
        The address they got probably have a much higher validity rate than other sources.
        They know which list you were on and can probably do some joins to get figure out if you were on multiple lists.

        That makes for some big wins for phising. If I am phishing I and I send you a mail about your Visa card chances are you have one and with a lots of luck you just might fall for it. If I send you a mail about your LL Bean Visa card well not nearly so many people have

    • by jank1887 (815982)

      If nothing else, they now probably have a list of known live (mostly) email addresses tied to a valid company. I get tons of 'you have twitter notifications' spam, even though I don't use Twitter. Easy to ignore. But if I started getting phishing spam acting like my credit union, using my properly spelled name and email, it would be a different story. And, this includes grandma and her bank account, too. Go ahead, tell grandma to check the message source before she clicks a link to her bank that she actual

  • I'm expecting one from Walgreen's and Marriott soon.
  • Epsilon Informs AbeBooks of E-mail Database Breach

    We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.

    As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you

  • Wonderful. (Score:5, Interesting)

    by bobdotorg (598873) on Monday April 04, 2011 @12:50PM (#35709578)

    I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.

    And yet they retained and leaked my email address.

    Can I charge them a $10 monthly fee for spam removal?

    • Did they sign a contract you made to that or another effect along the lines of "if I ever want to charge you, I will." (Of course they send prior notice...albeit usually in 5 point font in what feels like a spam mailing to encourage it being dumped and forgotten about.)
    • by v1 (525388)

      yes chase seems to be in the business of driving away their customers nowadays. I took off when they decided to jack my interest rate from 9.9 to 18% for literally no reason.

      • Chase. What a great name! Chase your customers away!

        I left them this week. The wife and I calculated the United rewards point we were supposedly accruing, versus the usurious increase in rates.

        Let us just say that with our balance, it is cheaper to buy points at the ticketing kiosk.

        Another bank we do business with will transfer the balance - at 0% for 1 year.

      • by DarkOx (621550)

        Oh they had a reason, his name is Barney Frank and because he was going to make it nearly impossible for them to do it later they were forced to while the gettin was good. Also because you actually ready their correspondence carefully enough to be aware this happen you fall into a category called likely to pay on time and without the expensive strong arming by the collections department, so just encase you ever do have a balance past 30 days well they just might make few dollars of you.

    • Can I charge them a $10 monthly fee for spam removal?

      No, but if you had a unique address for them at your own domain then you could bounce all the spam to one of their email addresses.

    • I've never had a credit card with them unlike some sibling commenters, but I've never particularly minded them for regular bank accounts

      The in-branch customer-service (teller transactions, etc.) of big banks generally isn't a problem, and that's most of what I deal with.

      The debit card rewards program is getting phased out with the new debit card fee regulations - very well, it's a logical response to their fees being cut. and what they were keeping would now accrue to the customer or retailer anyway.

  • I just checked and somebody used my CITI card to buy several new large screen TVs and all sorts of electronic equipment. Guess I'll have to call this in....

    • by Anonymous Coward

      You used your CITI card number for your email address?

      • by Svartalf (2997)

        No... Some clients gave out more info than they ought to and it sat on Epsilon's databases.

        • by ArhcAngel (247594)

          While you are indeed correct I think the whoosh comment above is more fitting. Fortunately my cards thus far have been untainted. I will however be watching them like a hawk for the foreseeable future.

        • by canajin56 (660655)
          Epsilon said the breach was only names and email addresses, with the exception of a few clients who had member balances or other minor data included in their mailings (such as member points, where some sale flyers will tell you how many points you have to spend on these cool savings). CITI itself said the breach was only names and email addresses. So your conspiracy theory is that they are both lying, and the breach included credit card numbers. But, since both companies involved insist that they have ch
  • So far I've gotten two. Best Buy and Home Shopping Network.

    I'd forgotten I'd even had accounts there. I wonder what other news of my past I'll be receiving this week.

  • by wiredog (43288) on Monday April 04, 2011 @01:05PM (#35709740) Journal

    They have my email because they are tech headhunters, and I was unemployed a few years back.

     

    Dear Valued Customer,

    Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

    We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

    Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

    As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@rhi.com.

    Sincerely,

    Robert Half Customer Care

    • by sajuuk (1371145)
      Same here, I totally forgot I had applied for a job through them when I was hunting for work right out of college.
  • Wasn't stuff like PGP / GPG supposed to solve all of email's problems by allowing people to use real email whitelists? Is there any effort to use public-private keyrings to sign email, so we can simply filter out all the spam that isn't signed by someone we don't know? If we actually used this stuff, they'd just have to revoke their private key (if it was among the data compromised) issue a new one (along with the apology) and be done... the email addresses wouldn't be of much further use to a spammer if

    • by Chemisor (97276)

      Having webmail provide encryption has one obvious problem: you have to give the webmail provider your secret key, implying a level of trust you probably do not have for them. You could, of course, use Thunderbird and Enigmail, but that still will not help you check your mail on any computer that isn't yours. Then there's the hassle of convincing your friends to use encryption. That task pretty much becomes impossible once you mention that a passphrase will henceforth be required to send email. GPG goes to i

      • by rwa2 (4391) *

        Oh, I don't know... it was pretty easy to set up a hushmail account just now, just to see what it was like. It just uses your password as the passphrase, so it was pretty straightforward. Only 2MB for the free account, which expires after 3 weeks of inactivity, so it's of limited use, but I don't really see why the other big webmail providers couldn't follow suit.

        I don't see a reason not to have a separate secret key per email account, so I'd never really have to give them whatever I considered my "main"

      • by dgatwood (11270)

        Having webmail provide encryption has one obvious problem: you have to give the webmail provider your secret key, implying a level of trust you probably do not have for them.

        There's a second option. The webmail service could generate its own public and private key pair, and you can sign that pair with your personal key. You could then separately revoke the webmail key. Nothing says that a person can only have one PK crypto key pair.

        There's a third option, too. The webmail service could use a secure call

  • To every one of these I send this reply:

    I hold your company directly responsible for this breach of privacy. I do not care that you place the blame with a 3rd party company.

    I encourage everyone who receives these apology emails to do the same. Perhaps companies will care about privacy. (Ok, I don't really believe that. But it is a good test to see if anyone actually reads replies to these emails.)

    • by jaymz666 (34050)

      Is it ironic that they used Epsilon to send these warning emails from?

      • Is it ironic that they used Epsilon to send these warning emails from?

        These companies didn't send these warning emails. Epsilon sent them for them on their behalf. There is a difference.

    • If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

      Honestly though, I just don't feel myself getting worked up over this stuff (although there are more-serious privacy issues)

  • by jaymz666 (34050) on Monday April 04, 2011 @01:12PM (#35709814)

    Did they use Epsilon to send out the security alert warning emails?

    >Received: from
    > by pimta03.epsiloninteractive.com

    Looks like it.... Hmmm... what does that say about it?

    • Did they use Epsilon to send out the security alert warning emails?

      >Received: from > by pimta03.epsiloninteractive.com

      Looks like it.... Hmmm... what does that say about it?

      If I were Best Buy or whoever, I would be telling Epsilon "you broke it, you fix it." Which in this case means -- at a minimum -- sending out these notices. So I'm really not surprised. Maybe surprised little at first.

      • by jank1887 (815982)

        I'm willing to bet Epsilon's not charging them for these mailings.

      • by jaymz666 (34050)

        yeah, I guess they already lost all the information, so why stay open to it and send even more messages

  • Disney Destinations, New York & Company, AbeBooks. I'm waiting to see how these addresses (each being a different one of course) will get used. Will it be spam, trojans, nigerian princes or something new and exciting? ;)

  • by Xian97 (714198)
    I received one from Tivo, and I haven't been a customer for over 2 years. I guess they still had my account info stored. It was actually my father's account, but since he doesn't have a computer we used my contact info.
    • by jank1887 (815982)

      that's my great-grandfather's email address. sure we've changed the domain once and the username twice, but it's still my grandfather's email address.

  • I've only received one from US Bank on April 2 (two days ago). It was the first I had heard of the incident.

  • and only found out why on Saturday.
  • by AdamThor (995520) on Monday April 04, 2011 @01:29PM (#35710072)

    Arrrrg! Freaking Epsilons! Never send an Epsilon to do Alpha work, I guess.

  • Citi hasn't been doing too well on these things recently; they've replaced our cards twice in the last few months.

    Outsourcing saves companies money because the outfit that takes the business can achieve better economies of scale -- yeah, they can compromise tens of millions of accounts at once for multiple firms, rather than the measly million or two that would have been screwed otherwise...
  • one from Chase (posted about it in another comment)

    one from AbeBooks (one of my occasional used-textbook sources):

    Epsilon Informs AbeBooks of E-mail Database Breach

    We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.

    As a reminder, AbeBo

  • This explains the huge pop I saw in incoming spam to my personal account that started on March 31 and which is continuing.

    Yet another reason to avoid Capital One: they sell your email to barely-legal spammers err... "marketing partners" at every opportunity, despite asking for opt-out.

You can do this in a number of ways. IBM chose to do all of them. Why do you find that funny? -- D. Taylor, Computer Science 350

Working...