Epsilon Breach Affects JPMorgan Chase, Capital One

Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?

Received one this morning.

[grub]

I received this today. Another case where I'm happy to use throw-away accounts at a domain I own.

Dear [me],

We have been informed by our email service provider, Epsilon, that your name
and email address have been exposed by unauthorized entry into their system.
Epsilon deploys emails on our behalf to our Reward Zone members. Click here
to read Epsilon's statement.

We have been assured by Epsilon that the only information that has been
exposed was your name and email address. A rigorous assessment by Epsilon
has determined that account details, passwords or any other personal
information were not at risk.

It is possible that you may receive spam email messages as a result and we
would advise you to be very cautious when opening links or attachments from
unknown senders. More information on spam and protecting yourself from email
fraud can be found here.

In keeping with security industry best practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.ca. If you receive
an email asking for personal information, delete it. It did not come from
Best Buy. The next scheduled email from Reward Zone about our Trade In Event
will arrive to your inbox on April 15, 2011.

Our service provider has reported this incident to the appropriate
authorities.

We regret this has taken place and any inconvenience this may have caused
you. We take your privacy very seriously, and we are working diligently to
fully investigate this situation and continue to protect your personal
information. If you have further concerns or questions please contact us:
1-866-BEST-BUY (238-7289) or customercare@bestbuycanada.ca.

Sincerely,

Angela Scardillo
Vice President of Marketing
Best Buy Canada

Wonderful.

[bobdotorg]

I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.

And yet they retained and leaked my email address.

Can I charge them a $10 monthly fee for spam removal?

Re:How does this happen?

[hedwards]

It's not so much a matter of money as it is one of logistics. Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. You still have to keep them secured, track opt outs and all the other stuff, handing it over to a 3rd party generally makes more sense. Plus, there's no guarantee that they'll manage any better.

If anything this is just evidence that Epsilon screwed up and wasn't adequately separating the data. Without more information it's hard to say what they did, but chances are they were storing the various mailing lists on the same database servers.

Capitalone, spends a lot of money protecting its customers from fraud, I know that because they're regularly on the phone with me when their computers pick up suspicious activities, and typically the account is locked within a minute pending authorization from me. I have a hard time believing that they'd spend all that money on security in that area and then go with a cut cost fly by night vendor for managing their emails. It's possible, but strikes me as odd.

Re:How does this happen?

[omnichad]

I wish it were that easy these days. You try maintaining an email server to send out marketing messages when you don't have SPF, Domainkeys, or SenderScore certification. Even sending out undeliverable email notices will get you put on an IP block list before you knew what happened. I could go on, but none of these things involve spammy keywords being in the message at all.

corporate persons and human rights

[manaway]

Oh, come on now, let's be fair, they're all really quite sorry...

...sorry the public was made aware of the breach.

Don't forget, they also "regret this has taken place" in the public eye and "are working diligently... and continue to protect your personal information" by sharing your info with Experian, TransUnion, Equifax, and ChoicePoint every month; along with the occasional publicized data breach. So there you have it, a sorry, a regret, and a things will continue. You can go back to using your accounts and rest assured they are as safe as they ever were. Whatever that means.

Whenever you or I lose a company laptop, violate a contract, disclose a non-disclosure agreement, expose a sealed order, blow the whistle on environmental violations, expose internal corporate corruption, we are harangued, demoted, sued, fined, fired, jailed, or blacklisted. Maybe the difference between being a human and a corporation having the same rights as a person hasn't worked out and is slowly changing?