Epsilon hacking exposes customers of Best Buy, Capital One, Citi, JPMorgan Chase and others


This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

Customer data at Best Buy, Capital One, Citi, JPMorgan Chase, US Bank, TiVo and Walgreens -- all managed by Epsilon, an online marketing company -- were accessed by hackers last weekend.

The affected companies have sent emails to their customers warning them of the security breach, with Best Buy saying in an email: ‘On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization,’ wrote Barry Judge, Best Buy’s chief marketing officer.


‘We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.’

Best Buy and others warned customers to remain alert to unusual or suspicious emails.

‘In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site,,’ Judge wrote. ‘If you receive an email asking for personal information, delete it. It did not come from Best Buy.’

JPMorgan Chase issued a statement on the hack, saying, ‘We are advised by Epsilon that the files that were accessed did not include any customer financial information, but are actively investigating to confirm this. As always, we are advising our customers of everything we know as we know it. Chase will never ask customers for personal information or credentials in an email.’

In a statement on its website, Epsilon said the incident took place on March 30 when ‘a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk.’

Epsilon officials were unavailable for comment on the hack on Monday.

Based in Dallas, Epsilon sends more than 40 billion emails each year and has more than 2,500 clients, according to a report from Security Week.

The company said it was still investigating the security breach. A list of the affected companies, as reported by Security Week:


  • Ameriprise Financial
  • Best Buy
  • Brookstone
  • Capital One
  • Citi
  • Disney Destinations
  • Home Shopping Network
  • JPMorgan Chase
  • Kroger
  • LL Bean Visa Card
  • Marriott Rewards
  • McKinsey & Company
  • New York & Company
  • Ritz-Carlton Rewards
  • TiVo
  • The College Board
  • US Bank

[Updated at 1:27 p.m.: Epsilon spokeswoman Jessica Simon said the company wasn’t speaking on the hacking outside of the statement on its website, which is quoted in the above post.]

[Updated at 2:52 p.m.: The Associated Press released an update list of the companies affected by the recent Epsilon hack. The AP’s list included a few companies not previously noted, as seen below:

  •’s AbeBooks subsidiary
  • Barclays Bank and U.S. customers of Barclaycard
  • Ethan Allen Interiors
  • Hilton Worldwide: inclusing Hilton, DoubleTree, Hampton Inn and Waldolf Astoria
  • HSN Inc., a retail offshoot of the Home Shopping Network]


RSA, the security division of EMC, gets hacked

Stephen Colbert takes on HBGary’s Anonymous problem

Five alleged Anonymous ‘hacktivists’ arrested in England for Web attacks


-- Nathan Olivarez-Giles