Hacking of data firm Epsilon exposes customers of 50 firms

A huge Internet security breach that exposed countless names and email addresses also focused attention on an increasingly popular target for hackers: data firms that store customers’ personal information for banks, retailers and other companies.

Customers of as many as 50 firms, including JPMorgan Chase & Co., Kroger Co., TiVo Inc., Best Buy Co., Walgreen Co. and Capital One Financial Corp., found out over the weekend that their email addresses were exposed to hackers who had broken into the system of Epsilon Data Management, a Dallas company that provides online mail services to 2,500 companies.

Notices from retailers and banks came as a surprise to many, including Chris Kubica of North Carolina, who received warning messages from Best Buy and TiVo.

“Wait, so I put my information into Best Buy, and it was stolen from some other place that I’d never heard of?” he said. “That’s a little bit scary.”

The attack on Epsilon is a type that has become increasingly attractive to hackers: They go after intermediaries or outsourcing companies like Epsilon.


Those data companies handle giant troves of sensitive personal information for many retailers, banks and other companies that deal directly with the public. And with customers sharing more data with those firms across many industries, the vulnerability of data storage companies has become a growing concern.

“These are examples of why those people who provide services to thousands of other companies have to be way more secure than the individual companies themselves,” said John Pescatore, a security analyst at Gartner Inc.

The companies affected by the Epsilon hacker attack told their customers that they might see an increase in malicious email messages aimed at tricking them into handing over credit card data and other personal information.

In a ruse known as phishing, cyber-criminals try to bait consumers with emails that appear to be from legitimate companies and often ask for passwords, Social Security numbers and financial information.

Epsilon spokeswoman Jessica Simon declined to say how many users’ names and email addresses had been exposed in the attack. But she noted that no additional personal information, such as Social Security numbers, had been exposed. The company said a full investigation was underway.

Though Epsilon may have been the source of the security breach, the companies that originally collected the information may ultimately be responsible if the lost data are used for purposes that harm consumers, including identity theft.

“The liability really rests with the company that directly interacts with consumers — regardless of what the fine print said,” said Scott Brady, a managing director at Dewitt Stern, an insurance firm that works with clients in the entertainment and media industry.

In many cases, companies that provide commercial services maintain lengthy privacy policies that advise users that their email addresses or other information may be shared with other firms. But as with privacy policies from TiVo or Walgreen, secondary firms such as Epsilon are not named.

Although consumers may not be aware that their data are being shared with multiple companies, such outsourcing is commonplace in the e-commerce realm — and the potential for attack is no secret to firms involved.

“This is a widely understood and prevalent risk,” said Brady, who himself received messages from Best Buy, Ralphs and JPMorgan Chase that his personal email address had been compromised. “There are constantly people trying to break into these data repositories.”

The companies that were victimized by the attack generally said little about the extent of the security breach. A spokeswoman for Best Buy declined to comment on the number of customers affected.

Krista Wierzbicki, a spokeswoman for TiVo, referred to a brief release on the company’s website, which noted that it was conducting an “internal investigation” to verify the information provided to the company by Epsilon.

She declined to say how many TiVo customers were affected.