Millions of Consumer/Customer E-mail Addresses Stolen; Phishing Surely to Follow

Epsilon is one of the world's largest customer outreach e-mail companies, and generates legitimate traffic on behalf of a number of very large companies (see Table 1 below). Epsilon services over 2,500 major clients, including 7 of the Fortune 10, and sends over 40 Billion emails per year on their behalf.

On Friday, Epsilon reported that an outsider succeeded in obtaining illicit access to its customer database, from which individual names and e-mail addresses were obtained. The company was quick to observe that no sensitive data had been stolen (such as credit card or account numbers, or other data elements that could lead directly to identity theft or account compromises). However, access to  customer databases makes it easy for cybercrooks to create personalized targeted phishing campaigns, where they can address recipients by name and phish known working e-mail addresses. Invariably, this ensures higher hit rates for well-crafted phishing messages.

Table 1: List of Companies With E-mail Records Known to Be Stolen

Ameriprise FinancialLL Bean Visa Card
Best BuyMarriott Rewards
BrookstoneMcKinsey & Company
Capital OneNew York & Company
CitiRitz Carlton Rewards
Disney DestinationsThe College Board
Home Shopping Network (HSN)TiVo
JP Morgan ChaseUS Bank

Source: Security Week 4/2/2001 "
Massive Breach at Epsilon Compromises Customer Lists of Major Brands"

At this point, no attacks are known to have been launched using any stolen data, but anyone who receives e-mail from any or all of these companies (and possibly more, as Epsilon itself has not yet published a definitive list of all the companies that may have been compromised) should remain especially vigilant for potential phishing attacks from these sources.

Stu Sjouwerman

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews