More

Epsilon Hack: Customers Targeted From Citigroup, Walgreens, TiVo, Capital One, HSN, College Board

Epsilon Hack

First Posted: 04/03/11 09:37 PM ET Updated: 06/03/11 06:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

(Reuters) - The names and e-mails of customers of Citigroup Inc and other large U.S. companies, as well as College Board students, were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.

In what could be one of the biggest such breaches in U.S. history, a diverse swath of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.

Drugstore Walgreens, video recorder TiVo Inc, credit card lender Capital One Financial Corp and teleshopping company HSN Inc all added their names to a list of targets that also includes some of the nation's largest banks.

The names and electronic contacts of some students affiliated with the U.S.-based College Board -- which represents some 5,900 colleges, universities and schools -- were also potentially compromised.

No personal financial information such as credit cards or social security numbers appeared to be exposed, according to the company statements and e-mails to customers.

Epsilon, an online marketing unit of Alliance Data Systems Corp, said on Friday that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion e-mail ads and offers annually, usually to people who register for a company's website or who give their e-mail addresses while shopping.

"We learned from our e-mail provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals," HSN, also an e-commerce operator, said in an e-mail to customers on Sunday.

"This information included your name and e-mail address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."

Citigroup customer names and some credit card customers' e-mail addresses -- but no account information -- were part of the data breach, the third-largest U.S. bank said on Saturday.

The College Board, which administers the SAT admissions tests, on Saturday warned students about the breach and asked them to be cautious about receiving "links or attachments from unknown third parties," according to two e-mails reviewed by Reuters.

The not-for-profit organization is in contact with more than 7 million students, according to its website. It did not immediately return calls for comment.

PROBING FOR ANSWERS

Law enforcement authorities are investigating the breach, though it was unclear on Sunday how many customers or students had been exposed. Epsilon is also looking into what went wrong.

"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."

Capital One, which also runs a bank, and Walgreens, the largest U.S. drugstore, said the Epsilon hacker accessed its customer e-mail addresses, but no personally identifiable information.


TiVo, a maker of digital video recorders, said the information that was obtained was limited to e-mail addresses and clients' first names.

The incident comes three years after hackers penetrated Heartland Payment Systems, a credit and debit card processor, in one of the biggest identity-theft cases in U.S. history.

In that case, notorious hacker Albert Gonzalez led a ring that stole more than 40 million payment card numbers, and was later sentenced to 20 years in prison.

On Friday, JPMorgan Chase & Co, the second-largest U.S. bank, and Kroger Co, the biggest U.S. supermarket operator, said that some customers were exposed as part of the Epsilon data breach.

Citigroup announced that it had been affected on Saturday evening. Spokesman Sean Kevelighan said the bank started informing its customers of the breach on Friday through a link on its website.

Some of Epsilon's other clients include Verizon Communications Inc, Blackstone Group LP's Hilton Hotels, Kraft Foods Inc, and AstraZeneca.

(Reporting by Jonathan Spicer and Maria Aspan, editing by Maureen Bavdek, Diane Craft and Gunna Dickson)

Copyright 2011 Thomson Reuters. Click for Restrictions.

FOLLOW HUFFPOST TECH

(Reuters) - The names and e-mails of customers of Citigroup Inc and other large U.S. companies, as well as College Board students, were exposed in a massive and growing data breach after a compute...
(Reuters) - The names and e-mails of customers of Citigroup Inc and other large U.S. companies, as well as College Board students, were exposed in a massive and growing data breach after a compute...
Related News On Huffington Post:
 

Filed by Adam J. Rose  | 

More in Technology...


 
 
  • Comments
  • 239
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2 3 4 5  Next ›  Last »  (8 total)
brievolz84
3 Fans
04:12 PM on 04/06/2011
Since I'm learning how to thwart these types of attacks, I think if they had a honey pot setup in their DMZ (if they even had a DMZ), they could have seen this coming.
Permalink  |
itsadilbertworld
43 Fans
08:59 AM on 04/06/2011
You can add Verizon to the list. (They use Epsilon to send out marketing communications.) I received an email from Verizon stating:that my email address "was exposed due to unauthorized access" to Epsilon's systems.

I'm guessing that so many companies have been making use of Epsilon because they provide their services at an attractively low cost. Too bad they don't use enough of their revenue to make sure their systems are secure.
Permalink  |
photo
HUFFPOST SUPER USER
Ukie3
All your base are belong to us!
43 Fans
08:08 AM on 04/05/2011
Got an e-mail from the College Board a couple days ago...
Permalink  |
Johor777
4 Fans
09:34 PM on 04/04/2011
No BigPharma clients to devise a vaccine to provide protection from hacking for companies like Epsilon? What are they doing with all their profits? Surely this would be a winner.
Permalink  |
photo
desertsapien
79 Fans
09:34 PM on 04/04/2011
Never volunteer information - nada - zip.
You who do are your own worst enemy.
There is no privacy since these companies do not hand out list of their 3rd party collaboraters.
And these 3rd party entities changes hands quite often.
Permalink  |
Nikuman
52 Fans
07:27 PM on 04/04/2011
Got emails from Chase and Citi just now. I guess during weekends they only count their billions.
Permalink  |
photo
JA56
0 Fans
06:58 PM on 04/04/2011
Hacked = Sold
Permalink  |
photo
HUFFPOST SUPER USER
Dee Amschler
on the edge
259 Fans
 
06:21 PM on 04/04/2011
The sickest part is I knew before any of the involved companies started admitting to this. How? Because of a sudden, sharp increase in spam. I'll almost guarantee it was done to harvest the emails.

There needs to be a very painful, expensive, severe penalty for this sort of thing. One that makes a company realize that there's more to this than "just" bad publicity. One that forces them to realize they're risking identities of their customers.

I shouldn't have to risk my identity or even my financial information to do business with anyone online, not even if all I ever opt to do is to sign up for newsletters. Businesses MUST learn to keep data of clients as secure as their own.

Security isn't easy, but it can't be done when you're running your IT department by hiring the cheapest employees, the fewest number of them you can limp along with and the minimal equipment to do what's needed. You need good employees and good equipment and you need to keep both current. I'm guessing Epsilon failed on at least one of these accounts.
Permalink  |
liltrix
450 Fans
08:31 PM on 04/05/2011
Maybe clients of these mega corporations should do business elsewhere, such as smaller banks and credit unions etc. Maybe these corporations are too big to do business with for the middle class individual. Maybe it's time for us to move on from this notion of bigger is better.
Permalink  |
photo
Mister Grumpy
An Angry American
775 Fans
04:58 PM on 04/04/2011
Not to worry......... when Sharia Law becomes the law of the land......... all Hackers will be beheaded............
Permalink  |
photo
HUFFPOST SUPER USER
cabrobst
Return the top rate to 90%.
417 Fans
 
04:32 PM on 04/04/2011
Make Epsilon liable for damages and these security breaches will disappear like that.
My guess is that some greedy exec sold the list.
Permalink  |
brievolz84
3 Fans
04:16 PM on 04/06/2011
actually no, so long as there's private information out there there will always be someone out there willing enough to expose said information.

What needs to happen is more layers of overlapping security.
Permalink  |
jjlandry6a
2 Fans
04:23 PM on 04/04/2011
Add Hilton Hotels
Permalink  |
HUFFPOST SUPER USER
mansterEZ
searching for secular humanist fact-based truth
4458 Fans
 
03:58 PM on 04/04/2011
Freedom ain't free. Securing access to membership and discounts requires one to give up a lot of their anonymity. Corporations have no soul and reduces everyone and everything to nuttin but a number to be bought and sold. If ones personal information was sooo important to keep private, these mega corps would have taken the necessary measures to protect it from being stolen. Will their reputation be harmed? Not really because the majority of their customers have become dependent on what they have to offer. They also depend on the honesty and purposeful ignorance of their customers and they know there are a plethora of candidates willing to take the leap and sign on the bottom line to satisfy that quick financial fix.
Permalink  |
This comment has been removed due to violations of our [Guidelines]
Permalink
Texaninthesnow
18 Fans
03:37 PM on 04/04/2011
The issue with most companies is that they will do the minium to me regulator compliance. Reputational harm is not strong enough to push for companies to do the right think. With the list this large we can't take our business elsewhere. The true owner of this problem is the companies that didn't do a indepth security review of Epsilon. Was Epsilon playing in the arena of Security Threater? Epsilon propally has nice certifcations and have a SAS70 TypeIIl. I figure that we will never know he reason how this occurred or how much was actually taken. Everyone will lawyer up. You can tell this happening already by the e-mails. I can see the lawyers and marketing people sitting around a room spinning this.

Most of these companies who have sent out e-mails have a tone of Blame the Victim. They should be responsible for this breach just as Epsilon is responsible. Sending me a mail saying that this happened and then telling me to protect myself is rather self serving. We will never know how much harm this little breach will cause. People will still click links and go to unsafe sites. This much data could be used for the next 10 years. Are we going to remember that this occurred 5 years from now?

Privacy is dead, not becuase I don't want it, but becuase I don't control my own information.
Permalink  |
photo
HUFFPOST SUPER USER
cabrobst
Return the top rate to 90%.
417 Fans
 
04:39 PM on 04/04/2011
I will protect myself by not doing business with those who compromise my security. If that means going offline, well we must be safe from the incompetent and criminals. I buy only from firms I know. I do not bank online. I keep my core accounts safe.
Permalink  |
Texaninthesnow
18 Fans
03:07 PM on 04/04/2011
Would not trust Citigroup at all. They could tell me why they never did a electroninc billing one month after 5 years and then changed my rates for being late. Wouldn't surprise me if they aren't telling everything.
Permalink  |
photo
UncleDaleFlorida
29 Fans
02:30 PM on 04/04/2011
I understand good computers security is very expensive. It is apparently much better for businesses not to invest much into this until they have a major 'hack',then apologize to customers and maybe upgrade security. After all the government doesn't care. There are no laws mandating that they have a certain level of computer security. if there are enlightmen me. Wouldn't want to cost them any money of interfere in how businesses conduct their business. It is only your personal financial info. and your identity at risk.
Permalink  |
brievolz84
3 Fans
04:26 PM on 04/06/2011
actually you're wrong there, there are a lot of acts that were passed that specifically prohibit unsecured information from being available if you deal in finances or identity. HIPAA GLBA just to name a few.

I should know because I'm taking classes specifically in this field
Permalink  |
Page: 1 2 3 4 5  Next ›  Last »  (8 total)