DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Was this Epsilon’s first breach – or its second? (update2)

Posted on April 3, 2011 by Dissent

From the this-may-be-getting-ugly dept.: Adding to the  growing list of companies affected by a breach at Dallas-based Epsilon, Stitch Kingdom reports that Disney Destinations (The Walt Disney Travel Company) was also affected by the breach . But I knew that already thanks to a site reader who tiredly sent me the notification he received from them. It was the second notification he’s received from clients of Epsilon, and as he notes, “This is getting old….”

Elsewhere, Security Week’s Mike Lennon reports that Marriott Rewards, Ritz-Carlton Rewards, and Citi have also confirmed that their customers’ names and email addresses were also obtained in the Epsilon breach.  In  a sign of the times, perhaps, Citi  also used Twitter to point its customers to a notification on their site reminding them to check for an email security feature they employ in all legitimate email. [Update:  Ameriprise has joined the ranks of those affected.]

Kroger, Capital One, Brookstone, JPMorgan Chase, US Bank, New York & Company, TiVo, McKinsey Quarterly, and the College Board have also issued releases concerning the breach, which was announced by Epsilon on Friday. In most cases, the only data reportedly acquired by the hackers were the names and email addresseses, but in the case of some reward programs, reward point balances may also have been acquired. The massive scope of the breach in terms of the numbers of clients and their customers affected adds a bit of irony to Epsilon’s trademark, “Marketing as Usual. Not a Chance.”

But the notice that really got my attention was what appeared to be Walgreens’ second breach notification in recent months.  Was this Epsilon’s second breach in recent months or did Walgreens just have the misfortune to have used two email service providers who had breaches within months of each other? Or was this a case where the scope of an earlier breach had not been fully realized?

Back in December, when Walgreens announced that its customer email marketing list had been acquired by a hacker or hackers, they didn’t name the vendor involved.  At around the same time, some clients of SilverPop were notifying their customers that their email marketing lists had been acquired by hackers and Walgreens name was tentatively linked to the SilverPop breach.  SilverPop issued a statement at that time suggesting that not all media reports were accurate, but did not specifically name which reports were wrong.

Yesterday, I contacted Walgreens to ask directly, among other questions, whether their December notification to customers was due to SilverPop or Epsilon. A Walgreens’ spokesperson responded:

After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.

It seems, then, that the March 30th Epsilon incident may have been Epsilon’s second known incident in recent months.  As noted in a previous blog entry, there’s also been some question raised as to whether SilverPop has had a second breach.  What’s going on here?

If it’s true that there has been more than one round of hacks on the same email service providers,   this could get ugly for them, and the FTC might even choose to look into whether the firms have lived up to any privacy and security promises it may have made.

Epsilon did not respond to an inquiry sent to them last night asking for confirmation or disconfirmation that this was their second breach in the past few months, but I do hope they respond with a clarification or explain why Walgreens has seemingly had to notify customers twice in recent months.

Update: Epsilon’s spokesperson has sent DataBreaches.net the following statement:

As noted in Epsilon’s statement on Friday, this incident is under investigation and as such, Epsilon is unable to discuss the matter beyond what was communicated in the statement. Additionally, we cannot comment or speculate about this matter on any of our clients’ behalf. This incident involves email addresses and/or customer names only. No other identifiable information was obtained.

So we still don’t have a direct answer as to whether this is a second data breach or not. Stay tuned.

Related posts:

  • Court Rules SilverPop Not Liable for Damages After Data Breach
  • And the hits just keep on coming for Epsilon
  • Alliance Data Provides Statement Surrounding Unauthorized Entry Incident at Epsilon Subsidiary
  • Do Walgreens, McDonald’s, and deviantART breaches have common point of compromise? (updated)
Category: Breach IncidentsHackSubcontractor

Post navigation

← A Rash of Third-Party Data Breaches Takes a Toll on Businesses and Customers (update2)
And the hits just keep on coming for Epsilon →

2 thoughts on “Was this Epsilon’s first breach – or its second? (update2)”

  1. MarketingXD says:
    April 6, 2011 at 4:34 am

    Re: “After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.”

    The hack at Silverpop is believed to have been due to scraping data from prefilled profile forms. A script repeatedly retrieves the same profile form, passing in a different client id each time, and after a few weeks it has the data for all clients. The big advantage for the hacker is that they can do everything from overseas.

    My reading of this statement is that Walgreens asked Epsilon to put security measures in place to prevent this type of attack, but they didn’t.

    This is the first public evidence for how the Epsilon hack was done.

    1. admin says:
      April 6, 2011 at 1:53 pm

      Thanks for sharing your technical knowledge of how these things work. I wonder what other ESPs have done, or are doing, to prevent this type of attack. Do most ESPs use the prefilled profile form approach?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.