What first looked like a small e-mail list breach at New York & Company over the weekend was just the tip of the iceberg as multiple national retailers and banks found themselves the victim of the same data hackers.
We’ve read or heard directly about breaches of e-mail lists at Best Buy, TiVo, Walgreens, Citi, US Bank, Kroger, JPMorgan Chase, Barclays Bank, Capital One, Marriott, Home Shopping Network, Brookstone, Ameriprice Financial, LL Bean Visa Card, The College Board, Ritz-Carlton and Disney Destinations. There are likely even more that we have yet to hear about.
All the leaks are related to a company called Epsilon, which is apparently the world’s largest permission-based email marketing provider, and which began notifying its clients of the violation over the weekend.
Reads the statement on the Epsilon site:
On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.
Most affected companies have been contacting customers by e-mail to alert them to the breach. Most of the businesses are telling customers that the only information leaked were names and e-mail addresses, and that their credit card information is still secure. Ritz-Carlton Rewards have said that the hackers can also see its customers’ rewards points balances.
Companies and security experts are warning affected customers to beware phishing attacks from scammers posing as one of these businesses.
Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.