Hit by a major security breach, Epsilon says it will harden its e-mail system against attacks
One thing such retailers as Best Buy Co. Inc., Walgreen Co. and HSN Inc. wished they didn't share last month was the exposure of some of their customers' e-mail account information through a security breach at their e-mail services provider, Epsilon.
Epsilon, with a client base that includes more than a dozen retailers in the Internet Retailer Top 500, as well as banks and other companies, reported last month an unauthorized entry into its e-mail system March 30 that affected about 2% of its clients. Intruders were able to access the names and e-mail addresses of some of these clients' customers, but no personally identifiable information such as Social Security numbers or financial account data were compromised, the company says.
Epsilon's parent, Alliance Data Systems Corp., says it is taking steps to prevent further intrusions. "The security measures Epsilon has in place meet industry standards—and be assured that increased security measures have and will continue to be implemented as we continue to set even higher standards," Ed Heffernan, president and chief executive officer of Alliance Data Systems, says in a statement released with the company's first quarter financial report. He declined to specify what changes would be made.
Several of Epsilon's clients, including Best Buy, Walgreen and HSN, alerted their customers through e-mail and other means that some e-mail addresses had been exposed to unauthorized users. Best Buy and Walgreen said in their alerts that intruders into Epsilon's system accessed only e-mail addresses, while HSN noted that the intruders had accessed names as well as e-mail addresses of some of its customers.
Each of these retailers also noted that law enforcement agencies were investigating the matter.
Epsilon clients also explained that no information beyond customer e-mail addresses and names were accessed by intruders. "A rigorous assessment by Epsilon has determined that no other information is at risk," Barry Judge, executive vice president and chief marketing officer of Best Buy, said in an e-mail alert to customers.
"No financial data, or other sensitive information, was accessed," HSN said in a statement. "The information accessed was limited to the customer's name and e-mail address." But HSN and other retailers warned customers that, as a result of the Epsilon breach, they may receive e-mail spam that could attempt to trick them into revealing confidential information such as credit card account numbers and passwords.
"HSN would never ask you to e-mail personal information, such as credit card numbers or Social Security numbers," the retailer said in a warning to customers. "If you receive such a request, please do not respond, click on any links, or download any attachments."