From the this-may-be-getting-ugly dept.: Adding to the growing list of companies affected by a breach at Dallas-based Epsilon, Stitch Kingdom reports that Disney Destinations (The Walt Disney Travel Company) was also affected by the breach . But I knew that already thanks to a site reader who tiredly sent me the notification he received from them. It was the second notification he’s received from clients of Epsilon, and as he notes, “This is getting old….”
Elsewhere, Security Week’s Mike Lennon reports that Marriott Rewards, Ritz-Carlton Rewards, and Citi have also confirmed that their customers’ names and email addresses were also obtained in the Epsilon breach. In a sign of the times, perhaps, Citi also used Twitter to point its customers to a notification on their site reminding them to check for an email security feature they employ in all legitimate email. [Update: Ameriprise has joined the ranks of those affected.]
Kroger, Capital One, Brookstone, JPMorgan Chase, US Bank, New York & Company, TiVo, McKinsey Quarterly, and the College Board have also issued releases concerning the breach, which was announced by Epsilon on Friday. In most cases, the only data reportedly acquired by the hackers were the names and email addresseses, but in the case of some reward programs, reward point balances may also have been acquired. The massive scope of the breach in terms of the numbers of clients and their customers affected adds a bit of irony to Epsilon’s trademark, “Marketing as Usual. Not a Chance.”
But the notice that really got my attention was what appeared to be Walgreens’ second breach notification in recent months. Was this Epsilon’s second breach in recent months or did Walgreens just have the misfortune to have used two email service providers who had breaches within months of each other? Or was this a case where the scope of an earlier breach had not been fully realized?
Back in December, when Walgreens announced that its customer email marketing list had been acquired by a hacker or hackers, they didn’t name the vendor involved. At around the same time, some clients of SilverPop were notifying their customers that their email marketing lists had been acquired by hackers and Walgreens name was tentatively linked to the SilverPop breach. SilverPop issued a statement at that time suggesting that not all media reports were accurate, but did not specifically name which reports were wrong.
Yesterday, I contacted Walgreens to ask directly, among other questions, whether their December notification to customers was due to SilverPop or Epsilon. A Walgreens’ spokesperson responded:
After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.
It seems, then, that the March 30th Epsilon incident may have been Epsilon’s second known incident in recent months. As noted in a previous blog entry, there’s also been some question raised as to whether SilverPop has had a second breach. What’s going on here?
If it’s true that there has been more than one round of hacks on the same email service providers, this could get ugly for them, and the FTC might even choose to look into whether the firms have lived up to any privacy and security promises it may have made.
Epsilon did not respond to an inquiry sent to them last night asking for confirmation or disconfirmation that this was their second breach in the past few months, but I do hope they respond with a clarification or explain why Walgreens has seemingly had to notify customers twice in recent months.
Update: Epsilon’s spokesperson has sent DataBreaches.net the following statement:
As noted in Epsilon’s statement on Friday, this incident is under investigation and as such, Epsilon is unable to discuss the matter beyond what was communicated in the statement. Additionally, we cannot comment or speculate about this matter on any of our clients’ behalf. This incident involves email addresses and/or customer names only. No other identifiable information was obtained.
So we still don’t have a direct answer as to whether this is a second data breach or not. Stay tuned.
Re: “After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.”
The hack at Silverpop is believed to have been due to scraping data from prefilled profile forms. A script repeatedly retrieves the same profile form, passing in a different client id each time, and after a few weeks it has the data for all clients. The big advantage for the hacker is that they can do everything from overseas.
My reading of this statement is that Walgreens asked Epsilon to put security measures in place to prevent this type of attack, but they didn’t.
This is the first public evidence for how the Epsilon hack was done.
Thanks for sharing your technical knowledge of how these things work. I wonder what other ESPs have done, or are doing, to prevent this type of attack. Do most ESPs use the prefilled profile form approach?