20110329-Epsilon

3/29/2011 Epsilon

Epsilon is a service provider sending over 40 billion emails annually on behalf of over 2,500 clients including: 1-800-Flowers, Air Miles, bebe Stores, Best Buy, Brookstone, College Board (The), Dell of Australia, Dillons, Disney Destinations, Eddie Bauer, Eileen Fisher, Ethan Allen, Fred Meyer, Fry’s, Hilton Honors Program, Home Shopping Network (HSN), Kroger, Lacoste, LL Bean Visa Card, Marriott Rewards, McKinsey & Company, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, Robert Half, Smith Brands Target, TiVo, Verizon, and Walgreens. Their customers also include these finance industry institutions: Ameriprise Financial, Capital One, Citi, JPMorgan Chase, MoneyGram, Scottrade, TD Ameritrade, TIAA-CREF, and US Bank. Compromised information included names and email addresses.
 
Why is a non-financial compromise important? Email addresses and names are source for “phishing” attacks where consumers receive emails purportedly from a business asking them to “click here” for “an outstanding offer”. The click takes the unsuspecting consumer to a site that downloads malware or entices consumers to use their account passwords.
 
Based on an announcement by Epsilon 3/29/2011 and updated since, the compromise is reported to affect “only” two percent of their customers, but the affected number of customers is less relevant that the number of affected consumers. 50 customers (estimated 2% of Epsilon’s 2,500 reported customers) could represent 90% of all consumers served by 100% of the customers.

 
A later update (see The Costs link below) indicated that the Epsilon breach may have affected 75 companies or 3% (not 2% as initially disclosed) and the cost to those companies could reach over $400 million for an event cost of over $600 million. The total cost (including forensic audits, consumer monitoring fees, regulator fines, litigation, and lost business) could run as high as 4 billion dollars.
 
At $200 per affected account and a $600 million event we believe that at least 3 million accounts were affected.

4/02/2011 The breach
www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands

 
UPDATE (05/02/2011): The original estimate of companies affected was changed from 2% to 3% of Epsilon customers. A total of 75 companies were affected and these companies may end up paying a combined amount of $412 million in damage control. Epsilon itself could pay $225 million. Some estimate the total cost of the Epsilon breach could run as high as $3-$4 billion in forensic audits and monitoring, fines, litigation, and lost business for provider and customers. Conservative estimates place the number of customer email addresses breached at 50-60 million. The total of customer emails exposed could reach 250 million. UPDATE: Over 110 business were affected Epsilon customers.

5/02/2013 The costs
www.darkstarcloudblog.com/2013/05/total-cost-of-epsilon-e-mail-data.html

6/28/2013 How the breach was accomplished is still not reported
www.businessinsurance.com/article/99999999/NEWS030101/306019974

 
 

Return to 2011 details page
Year links page
Return to References page