The names and emails of customers of Citigroup and other large US companies were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.
In what could be one of the biggest such breaches in US history, a diverse range of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.
Walgreen, TiVo, credit card lender Capital One and teleshopping company HSN all added their names to a list of targets. JPMorgan Chase, the second-largest US bank, and Kroger, the biggest US supermarket operator, said that some customers were exposed as part of the Epsilon data breach.
Epsilon, an online marketing unit of Alliance Data Systems, said that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion email ads and offers annually, usually to people who register for a company's website or who give their email addresses while shopping.
Some of Epsilon's other clients include Verizon, Hilton Hotels, Kraft Foods, and AstraZeneca.
Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely"We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorised individual or individuals," HSN, also an ecommerce operator, said in an email to customers.
"This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."
Law enforcement authorities are investigating the breach, though it was unclear how many customers had been exposed. Epsilon is also looking into what went wrong.
"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."
Paul Ducklin, head of technology for Sophos, noted that email address leaks were not seen as a "cardinal sin" among companies, but would lead to an increase in spam to affected accounts.
"Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely," he noted in a blog post. "That, in turn, can make their fraudulent correspondence seem more believeable."
As Epsilon is essentially a cloud-based email contractor, he said firms should take note that moving to the cloud could have security implications, saying "sometimes, keeping your own skills and abilities factored in to your organisation's security equation can pay off".
Play.com was faced with a similar problem, after its email marketing firm leaked customer data last month.