Epsilon is one of the world's largest customer outreach e-mail companies, and generates legitimate traffic on behalf of a number of very large companies (see Table 1 below). Epsilon services over 2,500 major clients, including 7 of the Fortune 10, and sends over 40 Billion emails per year on their behalf.
On Friday, Epsilon reported that an outsider succeeded in obtaining illicit access to its customer database, from which individual names and e-mail addresses were obtained. The company was quick to observe that no sensitive data had been stolen (such as credit card or account numbers, or other data elements that could lead directly to identity theft or account compromises). However, access to customer databases makes it easy for cybercrooks to create personalized targeted phishing campaigns, where they can address recipients by name and phish known working e-mail addresses. Invariably, this ensures higher hit rates for well-crafted phishing messages.
Table 1: List of Companies With E-mail Records Known to Be Stolen
Source: Security Week 4/2/2001 "Massive Breach at Epsilon Compromises Customer Lists of Major Brands"
At this point, no attacks are known to have been launched using any stolen data, but anyone who receives e-mail from any or all of these companies (and possibly more, as Epsilon itself has not yet published a definitive list of all the companies that may have been compromised) should remain especially vigilant for potential phishing attacks from these sources.
Stu Sjouwerman
On Friday, Epsilon reported that an outsider succeeded in obtaining illicit access to its customer database, from which individual names and e-mail addresses were obtained. The company was quick to observe that no sensitive data had been stolen (such as credit card or account numbers, or other data elements that could lead directly to identity theft or account compromises). However, access to customer databases makes it easy for cybercrooks to create personalized targeted phishing campaigns, where they can address recipients by name and phish known working e-mail addresses. Invariably, this ensures higher hit rates for well-crafted phishing messages.
Table 1: List of Companies With E-mail Records Known to Be Stolen
| Ameriprise Financial | LL Bean Visa Card |
| Best Buy | Marriott Rewards |
| Brookstone | McKinsey & Company |
| Capital One | New York & Company |
| Citi | Ritz Carlton Rewards |
| Disney Destinations | The College Board |
| Home Shopping Network (HSN) | TiVo |
| JP Morgan Chase | US Bank |
| Kroger | Walgreens |
Source: Security Week 4/2/2001 "Massive Breach at Epsilon Compromises Customer Lists of Major Brands"
At this point, no attacks are known to have been launched using any stolen data, but anyone who receives e-mail from any or all of these companies (and possibly more, as Epsilon itself has not yet published a definitive list of all the companies that may have been compromised) should remain especially vigilant for potential phishing attacks from these sources.
Stu Sjouwerman
