Epsilon Breach Probe Under Way; Credit Unions Warn Against Phishing
Epsilon is working with federal authorities and outside forensics experts to investigate the marketing firm’s recent e-mail address security breach, Epsilon parent company Alliance Data Systems Corp. said in a statement this week.
Approximately 2% percent of Epsilon’s clients were affected by last week’s breach, which involved an unauthorized entry into its e-mail system and the compromising of millions of clients’ customer names and e-mail addresses, Alliance Data said.
Epsilon manages customer e-mail databases for more than 2,500 clients including large financial institutions and retailers.
Alliance Data confirms that based on “rigorous internal and external reviews,” the compromised data is strictly limited to customer names and e-mail addresses. Since the breach, access to Epsilon’s e-mail system has been restricted further and its security protocols have been under review, the statement read.
“While we can’t reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets – their customers,” Alliance Data CEO Ed Heffernan said in the statement. “Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency.”
Alliance Data also said the company’s biggest concern following the breach is a potential client loss. Epsilon’s e-mail marketing campaigns have resumed and e-mail volumes are not expected to be significantly impacted, the company said.
While credit unions are not amongst the reported Epsilon clients affected by the breach, several CUs are warning their members against phishing scams in response to the incident.
Credit unions including the $1.9 billion HarborOne CU of Brockton, Mass., the $551 million Y-12 Federal CU of Oak Ridge, Tenn., the $729 million TwinStar CU of Olympia, Wash., and the $434 million iQ CU in Vancouver, Wash., posted messages on their websites stating that while they have no affiliation with Epsilon, members who have opted-in to an Epsilon client e-mail marketing list could be at risk of e-mail phishing scams.
Andrew Jaquith, CTO for Connecticut-based information security vendor Perimeter E-Security, said since customer names and e-mail addresses were the only data compromised, the incident’s impact on Epsilon clients and their customers will be minor.
But he says the breach is “embarrassing” for Epsilon and indicates flaws in the company’s security.
“The fact that the attackers could obtain such a vast quantity of information means that they compromised Epsilon’s security to get it,” Jaquith said.