The breach was first noted on March 31, when Epsilon, a marketing firm whose services include permission-based email marketing and database hosting, began notifying its customers of potential data exposure thanks to an unauthorized entry into Epsilon's email system. According to Epsilon, the information compromised was "limited to email addresses and/or customer names only," and "no other personal identifiable information associated with those names was at risk."
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]
One of Epsilon's clients, grocery chain The Kroger Co., subsequently notified its customers that the database had been breached, and urged its customers to be wary of email from senders they did not know. Later, it was revealed that JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, Walgreens, The College Board, and the Home Shopping Network have joined the ranks.
SecurityWeek notes that while the information harvested may seem like a "minor threat" -- after all, it's just email addresses -- targeted phishing messages to these customers are likely to yield a higher "hit rate" than a blind spamming campaign. In other words, people are much more likely to click on an email (or link within an email) that addresses them by name and purports to be from Citi Bank (especially when Citi Bank is the bank they use) then they are to click on an email that addresses them as "Big Guy" and purports to be from a male "growth" company.
In some cases, more than just email addresses and names were disclosed -- both Marriott Rewards and Ritz-Carlton Rewards had member rewards points disclosed, along with names and email addresses. This could give scammers more leverage when they attempt a targeted campaign.
Epsilon has the world's largest email marketing service, and sends more than 40 billion emails a year and manages customer databases from 2500 clients. Other Epsilon clients (who have not yet been named in the email breach) include Best Buy, TIAA-CREF, and Staples.
If you subscribe to email marketing from any of these brands, never fear -- you're in no danger as long as you keep an eye out for email from senders you don't know, and don't send any sensitive information (such as credit card or banking info) to "companies" via email. It's also a good idea not to open any attachments unless you personally know who's sending you the email and what the attachment is.