By Andrew Couts
What's being described as a "massive" security breach at email marketing firm Epsilon has compromised the customer names and emails of some of the largest companies in the US, including seven of Fortune's top 10 institutions, reports SecurityWeek.
Epsilon reportedly sends out 40 billion emails each year for more than 2,500 clients. SecurityWeek reports that clients of Epsilon affected by the infiltration include: TiVo, US Bank, JPMorgan Chase, Verizon, Capital One, Marriott Rewards, Ritz-Carlton Rewards, Citi, Brookstone, McKinsey & Co., New York & Co, Kroger and Walgreens.
Epsilon has refused to confirm the full list of companies hit by the breach. But the company tells Reuters that it is "cooperating with a number of authorities now, so I don't know how long it (the investigation) will take."
According to SecurityWeek, the data breach has put some customer email addresses of the second largest bank in the US, JPMorgan Chase, and the email addresses and names of Kroger, the largest grocery store chain in the country, in the hands of hackers.
"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," Epsilon said in a statement on Friday. "The information that was obtained was limited to email addresses and/or customer names only."
Kroger sent out an email to customers letting them know that names and email addresses had been stolen, and to warn them that they may receive "phishing" emails as due to the Epsilon breach.
"As a result, it is possible you may receive some spam email messages," Kroger said in the email. "We apologize for any inconvenience. Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted"
SecurityWeek extends the possibility of phishing attacks to any company affected by the database break-in.
The situation for Chase and Citibank could potentially be more problematic. Epsilon manages the loyalty programs from Chase and Citi credit card customers. According to Computerworld, this includes information that may "be extremely valuable to criminals looking to steal banking information in phishing attacks."
Chase said in a statement that it is "actively investigating to confirm" that, aside from email addresses, no other personal information was acquired by the hackers. The bank also tells Reuters that a "full investigation" is underway.
Citi released a statement via Twitter. The tweet read: "Please be careful of phishing scams via email. Statement from Citi for our valued Customers regarding Epsilon & email." A link to a full statement was provided, which also warned customers of phishing attacks.