Epsilon Breach Affects JPMorgan Chase, Capital One 180
Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?
Received one this morning. (Score:5, Interesting)
Re: (Score:1)
Re: (Score:2)
The U.S. version had a commercial for BBY's Geek Squad.
Hey, that's an interesting marketing twist:
"We can't take care of our own shit, so how about we mess with your stuff instead"
P.S. Mention this email and we will give you a 50% discount... So you'll only be paying twice what other shops would charge you!
Re: (Score:2)
Re: (Score:2)
Yup, I had one from TiVo.
Re: (Score:3)
Oddly enough, I didn't. Guess they've lost my contact info.
Nothing, yet. (Score:2)
I'm certain to receive at least one, which really does little to console me after the years of being spammed by the "legit" holders of my email addresses. This is why we have Gmail junk bucket accounts...
"Why, yes! I do have an email address for your bulletins and offers, it's [...]@gmail.com! (which I check once every blue moon or so)"
Re: (Score:2)
You don't perchance happen to have the email you sent them granting them permission to release your email address on to Epsilon and/or any other subcontractor/partnered company which fancy placed within their heads? I can only presume that ni private company would be do dishonourable as to throw your or anyone else's email address about like corporate confetti paper without your explicit written permission. Perish the thought!
Re: (Score:2)
You never signed anything to allow them to hire employees to send you these messages either. They have to pay somebody to do it. Where's the legal requirement that you can't hire outside your own corporation without permission?
Re: (Score:3)
From Best Buy's Privacy Policy [bestbuy.com]:
Uses of Information
- Best Buy does not sell, rent or trade your personal information to third parties.
- We use information about you to fulfill your requests, administer various programs, provide services, and for other business purposes.
- Your personal information may be shared with current or future Best Buy entities or subsidiaries. We may also use the information you provide to send you marketing communications.
- In limited circumstances, Best Buy may need to share your in
Collegeboard.com (Score:2)
Only one so far
Re: (Score:2)
I use my real Gmail address when I sign up for most things. If they are going to be sending me things I want (e.g. e-receipts or shipping confirmations from Best Buy, Amazon, etc.) then I'll do nothing. If they are only going to send me spam newsletters and sales offers, then I will set up a filter in Gmail.
What I'd really like to be able to do though is have a filter which puts a time bomb on an email, so that it deletes it after 30 days. That way, I could save the sales offer by default in case I end u
Re: (Score:2)
Yeah, same here. I got one of these from Best Buy this morning. I smiled when I noticed the email had arrived in my catchall account, having been sent to a fake email address on my primary domain. I've been ignoring all the (legitimate) spam at that address for the entire time anyway, so it's no big deal.
None (Score:3)
I haven't gotten any yet, although I have done business with a few. If anything this is a reminder that services like Sneakemail [sneakemail.com] exist for a reason.
what good is an apology... (Score:4, Insightful)
if the sender isn't sincere? the notifications are sent because they're required by law, not because they're truly sorry in any shape or form.
Re: (Score:1)
None whatsoever, of course, except to let you know to be more vigilant than usual because your PII got pwned on their watch.
I work in anti-phishing. The weeks ahead should be interesting. Our bank was on the list of those pwned. Gotta warn my wife to be especially vigilant of phishing.
Re: (Score:2)
Re:what good is an apology... (Score:4, Informative)
Oh, come on now, let's be fair, they're all really quite sorry...
corporate persons and human rights (Score:2, Interesting)
Oh, come on now, let's be fair, they're all really quite sorry...
Don't forget, they also "regret this has taken place" in the public eye and "are working diligently... and continue to protect your personal information" by sharing your info with Experian, TransUnion, Equifax, and ChoicePoint every month; along with the occasional publicized data breach. So there you have it, a sorry, a regret, and a things will continue. You can go back to using your accounts and rest assured they are as safe as they ever were. Whatever that means.
Whenever you or I lose a company laptop,
Re: (Score:1)
If you ever expect a corporation to "be sorry" or truely remorse then that's the problem. They cant, they are NOT people.
Re: (Score:1, Informative)
the supreme court disagrees
Re: (Score:2)
hence are creatures of the devil
QED
Notification (Score:2)
It is useful to let you know that your information has been compromised so you can take any appropriate action. The apology is just extra words, not the purpose of the communication.
Since when is sincerety a requirement? (Score:2)
When someone asks you "how are you?", you know, just like everybody else, that the question is not sincere. Both you and the questioner expect an answer along the lines of "I'm fine", even if you're on your death bed. Both the question and the answer are merely part of the social protocol; give a token, get a token. It may seem pretty dumb, but it has worked just fine for centuries, and heck, without empty chit-chat what would people talk about?
Not a lot... (Score:2)
So far, best buy and robert half technology.
Re: (Score:2, Funny)
we are spam twins!
Re: (Score:2)
Ahhh... But the banks will putz and futz around before disclosing that they pooched this. (And they did...they outsourced this to a third party which doesn't have the same IT security requirements THEY have...) It's bad for business for to own up to this sort of thing- and they'll put it off until the last possible moment.
Re: (Score:2)
Not sure if it was "putz and futz" but I got my alert from Chase before anyone else.
Re: (Score:2)
How does this happen? (Score:3)
I have received these from Best Buy and TiVo so far.
Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?
Re: (Score:2, Informative)
TiVo® Service Announcement
Dear TiVo Customer,
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information we
Re:How does this happen? (Score:5, Interesting)
It's not so much a matter of money as it is one of logistics. Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. You still have to keep them secured, track opt outs and all the other stuff, handing it over to a 3rd party generally makes more sense. Plus, there's no guarantee that they'll manage any better.
If anything this is just evidence that Epsilon screwed up and wasn't adequately separating the data. Without more information it's hard to say what they did, but chances are they were storing the various mailing lists on the same database servers.
Capitalone, spends a lot of money protecting its customers from fraud, I know that because they're regularly on the phone with me when their computers pick up suspicious activities, and typically the account is locked within a minute pending authorization from me. I have a hard time believing that they'd spend all that money on security in that area and then go with a cut cost fly by night vendor for managing their emails. It's possible, but strikes me as odd.
Re: (Score:2)
It was written, "Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. "
Allow me to offer a new alternative: search your corporate soul and decide whether the email you're sending is really that important.
I got one of these notices from my CC company, and it made me really mad when I thought about how I have *never* received an email from them that wasn't an attempt to sell a balance transfer or other undesired service. Ugh.
Re: (Score:3)
I got one of these notices from my CC company, and it made me really mad when I thought about how I have *never* received an email from them that wasn't an attempt to sell a balance transfer or other undesired service.
You have now.
Re: (Score:2)
OK, that hurt.
Re: (Score:3)
Epsilon's service includes dodging anti-spam measures, which would be difficult to do if it's not your primary business.
Re: (Score:2)
I guess sending less spammy messages would be too difficult a choice to make
Re:How does this happen? (Score:4, Interesting)
I wish it were that easy these days. You try maintaining an email server to send out marketing messages when you don't have SPF, Domainkeys, or SenderScore certification. Even sending out undeliverable email notices will get you put on an IP block list before you knew what happened. I could go on, but none of these things involve spammy keywords being in the message at all.
Re: (Score:2)
Even sending out undeliverable email notices
I meant to say "even if your server is configured to send out undeliverable email notices when emails are received for invalid addresses."
Re: (Score:3)
It's not the message content, but rather the traffic patterns. Lots of email providers use dumb systems like "if a particular mailserver sends me more than X messages at once, increase their spam probability by Y" and similar. Epsilon has that data, either from the ISPs or from their own testing and uses that to get around those measures.
As if you need to ask... (Score:2)
Re:How does this happen?
I have received these from Best Buy and TiVo so far.
Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?
Cut costs, take lowest bidder, require no proof of secure measures in place or review of procedures - it's not always incompetence by the peons who build the systems, usually it's incompetence and avarice by those who remove or never hire the sort of positions which oversee data security and integrity.
Re: (Score:2)
Simple - there is no reason not to.
What are you going to do - not do business with any of the 100 companies that were compromised? All of their competitors were compromised as well.
It is like complaining about SMS prices on US cell carriers - as long as everybody offers lousy service and the FTC refuses to regulate, customers get to choose between various levels of crappiness...
US Bank (Score:3)
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm [usbank.com]
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Re: (Score:1)
Dear valued U.S. Bank customer,
Thank you for publicly confirming that you are a customer of U.S. Bank. Your Slashdot ID and pseudonym will now be added to our data mine for association to the other information we have on file, as well as your past posting history to better profile you and your interests.
Epsilon
Really, people? Do you know what you're doing when you post these? You're leaking more information about yourself and exposing another on-line identity to being known and associated by Big Data. Are you certain the precise phrasing of the letter you received is not unique to you, or even came from the institution it proclaims to be?
Re: (Score:2)
Are you certain the precise phrasing of the letter you received is not unique to you, or even came from the institution it proclaims to be?
There is such a thing as unhealthy paranoia, sir. As another of US Bank's customers, I can confirm that the phrasing is identical. But who knows? Maybe there's some secret brainwave scanner encoded into the text which transmits the thoughts of anyone reading it back to US Bank's headquarters located in the heart of an active volcano.
Re: (Score:2)
Re: (Score:2)
Now that's how a Bank should be handling this fiasco on the customer facing side. One wonders if they'll audit their suppliers a little better and more often.
Re: (Score:2)
I got the same email. Ironically, Thunderbird flagged it as a potential scam. Heh.
just Best Buy so far, I thought it was phishing (Score:1)
List of victim companies (Score:2)
Re: (Score:2)
I received two this morning. Best Buy and Robert Half. I'm sure there will be more coming. And I wonder what the impact will be. Really, the spam blocker hardware and software technology really do a decent job of reducing the trash.
That's an interesting point. It's not like spammers have a lack of email addresses. Most spam to mine -- like yours -- is blocked by spam blockers at the POP level, not because my primary email address isn't already out there.
So were "they" after something more than just a collection of addresses they could have obtained in less dramatic ways? I have to suppose that more than just addresses were lost, because otherwise, what's the point?
At first I thought maybe they wanted more up-to-date and valid informat
Re: (Score:3)
They got more then just Names and E-mail address.
The address they got probably have a much higher validity rate than other sources.
They know which list you were on and can probably do some joins to get figure out if you were on multiple lists.
That makes for some big wins for phising. If I am phishing I and I send you a mail about your Visa card chances are you have one and with a lots of luck you just might fall for it. If I send you a mail about your LL Bean Visa card well not nearly so many people have
Re: (Score:3)
If nothing else, they now probably have a list of known live (mostly) email addresses tied to a valid company. I get tons of 'you have twitter notifications' spam, even though I don't use Twitter. Easy to ignore. But if I started getting phishing spam acting like my credit union, using my properly spelled name and email, it would be a different story. And, this includes grandma and her bank account, too. Go ahead, tell grandma to check the message source before she clicks a link to her bank that she actual
Best Buy and Ameriprise, so far. (Score:2)
Got one yesterday (Score:1)
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you
Wonderful. (Score:5, Interesting)
I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.
And yet they retained and leaked my email address.
Can I charge them a $10 monthly fee for spam removal?
Re: (Score:2)
Re: (Score:2)
yes chase seems to be in the business of driving away their customers nowadays. I took off when they decided to jack my interest rate from 9.9 to 18% for literally no reason.
Re: (Score:2)
Chase. What a great name! Chase your customers away!
I left them this week. The wife and I calculated the United rewards point we were supposedly accruing, versus the usurious increase in rates.
Let us just say that with our balance, it is cheaper to buy points at the ticketing kiosk.
Another bank we do business with will transfer the balance - at 0% for 1 year.
Re: (Score:2)
You pay interest on credit cards?
You're doing it wrong.
Re: (Score:2)
Tell me bout it.
Re: (Score:2)
Oh they had a reason, his name is Barney Frank and because he was going to make it nearly impossible for them to do it later they were forced to while the gettin was good. Also because you actually ready their correspondence carefully enough to be aware this happen you fall into a category called likely to pay on time and without the expensive strong arming by the collections department, so just encase you ever do have a balance past 30 days well they just might make few dollars of you.
Re: (Score:2)
I went through that call too. Twice. Both calls sparked by my reading the superfine print in the updated terms notice they sent me. First time, about 3 yrs ago, as yours went. Second time about 8 months ago, and they said thank you for your business, and transferred me to their cancellation department, which swiftly terminated my account without so much as a second glance.
I was a little surprised by that, but owell. Not my loss. Was a little sad to see it go though, it was my first credit card while I
Re: (Score:2)
Can I charge them a $10 monthly fee for spam removal?
No, but if you had a unique address for them at your own domain then you could bounce all the spam to one of their email addresses.
Re: (Score:2)
I've never had a credit card with them unlike some sibling commenters, but I've never particularly minded them for regular bank accounts
The in-branch customer-service (teller transactions, etc.) of big banks generally isn't a problem, and that's most of what I deal with.
The debit card rewards program is getting phased out with the new debit card fee regulations - very well, it's a logical response to their fees being cut. and what they were keeping would now accrue to the customer or retailer anyway.
already a casualty (Score:2)
I just checked and somebody used my CITI card to buy several new large screen TVs and all sorts of electronic equipment. Guess I'll have to call this in....
Re: (Score:1)
You used your CITI card number for your email address?
Re: (Score:2)
No... Some clients gave out more info than they ought to and it sat on Epsilon's databases.
Re: (Score:2)
While you are indeed correct I think the whoosh comment above is more fitting. Fortunately my cards thus far have been untainted. I will however be watching them like a hawk for the foreseeable future.
Re: (Score:2)
Two so far (Score:2)
So far I've gotten two. Best Buy and Home Shopping Network.
I'd forgotten I'd even had accounts there. I wonder what other news of my past I'll be receiving this week.
One from Robelt Half (Score:4, Informative)
They have my email because they are tech headhunters, and I was unemployed a few years back.
Re: (Score:1)
Email encryption (Score:2)
Wasn't stuff like PGP / GPG supposed to solve all of email's problems by allowing people to use real email whitelists? Is there any effort to use public-private keyrings to sign email, so we can simply filter out all the spam that isn't signed by someone we don't know? If we actually used this stuff, they'd just have to revoke their private key (if it was among the data compromised) issue a new one (along with the apology) and be done... the email addresses wouldn't be of much further use to a spammer if
Re: (Score:2)
Having webmail provide encryption has one obvious problem: you have to give the webmail provider your secret key, implying a level of trust you probably do not have for them. You could, of course, use Thunderbird and Enigmail, but that still will not help you check your mail on any computer that isn't yours. Then there's the hassle of convincing your friends to use encryption. That task pretty much becomes impossible once you mention that a passphrase will henceforth be required to send email. GPG goes to i
Re: (Score:2)
Oh, I don't know... it was pretty easy to set up a hushmail account just now, just to see what it was like. It just uses your password as the passphrase, so it was pretty straightforward. Only 2MB for the free account, which expires after 3 weeks of inactivity, so it's of limited use, but I don't really see why the other big webmail providers couldn't follow suit.
I don't see a reason not to have a separate secret key per email account, so I'd never really have to give them whatever I considered my "main"
Re: (Score:2)
There's a second option. The webmail service could generate its own public and private key pair, and you can sign that pair with your personal key. You could then separately revoke the webmail key. Nothing says that a person can only have one PK crypto key pair.
There's a third option, too. The webmail service could use a secure call
My stock reply: (Score:2)
To every one of these I send this reply:
I encourage everyone who receives these apology emails to do the same. Perhaps companies will care about privacy. (Ok, I don't really believe that. But it is a good test to see if anyone actually reads replies to these emails.)
Re: (Score:2)
Is it ironic that they used Epsilon to send these warning emails from?
Re: (Score:2)
Is it ironic that they used Epsilon to send these warning emails from?
These companies didn't send these warning emails. Epsilon sent them for them on their behalf. There is a difference.
footer to the Chase email (Score:2)
If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.
Honestly though, I just don't feel myself getting worked up over this stuff (although there are more-serious privacy issues)
Re: (Score:2)
Well the email to Best Buy bounced. So yeah, they really don't give a shit to the point where they don't even pretend to accept replies.
I wonder... (Score:3)
Did they use Epsilon to send out the security alert warning emails?
>Received: from
> by pimta03.epsiloninteractive.com
Looks like it.... Hmmm... what does that say about it?
Re: (Score:2)
Did they use Epsilon to send out the security alert warning emails?
>Received: from > by pimta03.epsiloninteractive.com
Looks like it.... Hmmm... what does that say about it?
If I were Best Buy or whoever, I would be telling Epsilon "you broke it, you fix it." Which in this case means -- at a minimum -- sending out these notices. So I'm really not surprised. Maybe surprised little at first.
Re: (Score:2)
I'm willing to bet Epsilon's not charging them for these mailings.
Re: (Score:2)
yeah, I guess they already lost all the information, so why stay open to it and send even more messages
I've got three. (Score:2)
Disney Destinations, New York & Company, AbeBooks. I'm waiting to see how these addresses (each being a different one of course) will get used. Will it be spam, trojans, nigerian princes or something new and exciting? ;)
Tivo (Score:2)
Re: (Score:2)
that's my great-grandfather's email address. sure we've changed the domain once and the username twice, but it's still my grandfather's email address.
Only one email... (Score:2)
I've only received one from US Bank on April 2 (two days ago). It was the first I had heard of the incident.
I've had spam by the thousands for 2 weeks... (Score:2)
Brave New Marketing Services (Score:5, Funny)
Arrrrg! Freaking Epsilons! Never send an Epsilon to do Alpha work, I guess.
Re: (Score:2)
*glances involuntarily at Bernard*...
One from Citi this morning... (Score:2)
Outsourcing saves companies money because the outfit that takes the business can achieve better economies of scale -- yeah, they can compromise tens of millions of accounts at once for multiple firms, rather than the measly million or two that would have been screwed otherwise...
Two (Score:2)
one from Chase (posted about it in another comment)
one from AbeBooks (one of my occasional used-textbook sources):
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBo
And here I thought it was Rustock recovering (Score:2)
This explains the huge pop I saw in incoming spam to my personal account that started on March 31 and which is continuing.
Yet another reason to avoid Capital One: they sell your email to barely-legal spammers err... "marketing partners" at every opportunity, despite asking for opt-out.
Re: (Score:2)
Check it out, there's no catch all 'criminal database' full of people's credit cards and PIN numbers. If this was the case, a group could simply use this list to make everyone aware of the impending fraud...
Most 'carding' activity is done via forums and IRC.. where credit card dumps (dumps of the magnetic strip) and numbers/info are SOLD for anywhere from $1-$5 each, depending on the value of the card in question.. and if it's a dump or just information. The dumps can be used to 'write' the information to
Re: (Score:2)
Yeah, that's the same email I got from Chase
Re: (Score:2)
And so begins the mass mailings from Epsilon's secret Chinese and Russian subsidiaries.
Re: (Score:2)
Your post-ending comma is going to bother me all day.