DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Was this Epsilon’s first breach – or its second? (update2)

Posted on April 3, 2011 by Dissent

From the this-may-be-getting-ugly dept.: Adding to the  growing list of companies affected by a breach at Dallas-based Epsilon, Stitch Kingdom reports that Disney Destinations (The Walt Disney Travel Company) was also affected by the breach . But I knew that already thanks to a site reader who tiredly sent me the notification he received from them. It was the second notification he’s received from clients of Epsilon, and as he notes, “This is getting old….”

Elsewhere, Security Week’s Mike Lennon reports that Marriott Rewards, Ritz-Carlton Rewards, and Citi have also confirmed that their customers’ names and email addresses were also obtained in the Epsilon breach.  In  a sign of the times, perhaps, Citi  also used Twitter to point its customers to a notification on their site reminding them to check for an email security feature they employ in all legitimate email. [Update:  Ameriprise has joined the ranks of those affected.]

Kroger, Capital One, Brookstone, JPMorgan Chase, US Bank, New York & Company, TiVo, McKinsey Quarterly, and the College Board have also issued releases concerning the breach, which was announced by Epsilon on Friday. In most cases, the only data reportedly acquired by the hackers were the names and email addresseses, but in the case of some reward programs, reward point balances may also have been acquired. The massive scope of the breach in terms of the numbers of clients and their customers affected adds a bit of irony to Epsilon’s trademark, “Marketing as Usual. Not a Chance.”

But the notice that really got my attention was what appeared to be Walgreens’ second breach notification in recent months.  Was this Epsilon’s second breach in recent months or did Walgreens just have the misfortune to have used two email service providers who had breaches within months of each other? Or was this a case where the scope of an earlier breach had not been fully realized?

Back in December, when Walgreens announced that its customer email marketing list had been acquired by a hacker or hackers, they didn’t name the vendor involved.  At around the same time, some clients of SilverPop were notifying their customers that their email marketing lists had been acquired by hackers and Walgreens name was tentatively linked to the SilverPop breach.  SilverPop issued a statement at that time suggesting that not all media reports were accurate, but did not specifically name which reports were wrong.

Yesterday, I contacted Walgreens to ask directly, among other questions, whether their December notification to customers was due to SilverPop or Epsilon. A Walgreens’ spokesperson responded:

After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.

It seems, then, that the March 30th Epsilon incident may have been Epsilon’s second known incident in recent months.  As noted in a previous blog entry, there’s also been some question raised as to whether SilverPop has had a second breach.  What’s going on here?

If it’s true that there has been more than one round of hacks on the same email service providers,   this could get ugly for them, and the FTC might even choose to look into whether the firms have lived up to any privacy and security promises it may have made.

Epsilon did not respond to an inquiry sent to them last night asking for confirmation or disconfirmation that this was their second breach in the past few months, but I do hope they respond with a clarification or explain why Walgreens has seemingly had to notify customers twice in recent months.

Update: Epsilon’s spokesperson has sent DataBreaches.net the following statement:

As noted in Epsilon’s statement on Friday, this incident is under investigation and as such, Epsilon is unable to discuss the matter beyond what was communicated in the statement. Additionally, we cannot comment or speculate about this matter on any of our clients’ behalf. This incident involves email addresses and/or customer names only. No other identifiable information was obtained.

So we still don’t have a direct answer as to whether this is a second data breach or not. Stay tuned.

Related posts:

  • Court Rules SilverPop Not Liable for Damages After Data Breach
  • And the hits just keep on coming for Epsilon
  • Alliance Data Provides Statement Surrounding Unauthorized Entry Incident at Epsilon Subsidiary
  • Do Walgreens, McDonald’s, and deviantART breaches have common point of compromise? (updated)
Category: Breach IncidentsHackSubcontractor

Post navigation

← A Rash of Third-Party Data Breaches Takes a Toll on Businesses and Customers (update2)
And the hits just keep on coming for Epsilon →

2 thoughts on “Was this Epsilon’s first breach – or its second? (update2)”

  1. MarketingXD says:
    April 6, 2011 at 4:34 am

    Re: “After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.”

    The hack at Silverpop is believed to have been due to scraping data from prefilled profile forms. A script repeatedly retrieves the same profile form, passing in a different client id each time, and after a few weeks it has the data for all clients. The big advantage for the hacker is that they can do everything from overseas.

    My reading of this statement is that Walgreens asked Epsilon to put security measures in place to prevent this type of attack, but they didn’t.

    This is the first public evidence for how the Epsilon hack was done.

    1. admin says:
      April 6, 2011 at 1:53 pm

      Thanks for sharing your technical knowledge of how these things work. I wonder what other ESPs have done, or are doing, to prevent this type of attack. Do most ESPs use the prefilled profile form approach?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people
  • Terrible tales of opsec oversights: How cybercrooks get themselves caught
  • International Criminal Court hit with cyber attack during NATO summit
  • Pembroke Regional Hospital reported canceling appointments due to service delays from “an incident”
  • Iran-linked hackers threaten to release emails allegedly stolen from Trump associates
  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.