The news gets worse by the hour. In what could be the most extensive data breach in U.S. history, at least 20 companies have reportedly joined the list of Epsilon clients whose customers’ names and email addresses were accessed by hackers on March 30.
The number of affected consumers has yet to be tallied, but breached companies so far include the nation’s second-largest bank and biggest grocery chain, as well as an organization in contact with 7 million students—from Citibank to TiVo, JP Morgan Chase and Disney, to Walgreens and the College Board. Many of these businesses have reassured customers that neither their PII nor any financial data was compromised. (See a list of Epsilon clients reportedly affected by the breach here.)
Affected companies are scrambling to warn customers of the heightened risk of phishing and spamming attacks, advising customers to be wary of emails claiming to be from them asking for personal or account information—and reiterating that they never solicit such data.
Epsilon stated that, “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk.” The self-proclaimed “world’s largest permission-based email marketing provider, sending over 40 billion emails annually,” Epsilon has 2,500-plus clients (including seven of the Fortune 10) and is the kind of target that has hackers around the world high-fiving.
A breach of this epic scale highlights the persistent problem of third-party vendor breach, which occurs at every level. When consumers elect to receive email communications from a business or provide personal information in exchange for a free tote bag or sweepstakes entry, they’re not only entrusting their data to the company with which they’re directly interacting, but they’re potentially handing it over to every operation with which that company does business.
As big corporations direct significant resources toward data protection, hackers must find novel ways of getting through. Third-party vendors often offer a back door into massive amounts of data. Confirmed email addresses and names are valuable, because they are often used for logins and authentication and can be a gateway to work, financial and personal information. Hackers crack passwords and access email inboxes and contact lists that can be used to commit identity theft or financial and other scams.
An Epsilon spokeswoman declined to confirm names of affected clients or offer further comment. She stated that the company is cooperating with authorities on the ongoing investigation.
Leave a Reply