The Epsilon Breach: What It Means

Posted on 5 April 2011 by


If you’re alive and own a computer, you’ve probably received one of the “We’re real sorry…we lost your email address” emails from one of the dozens of vendors whose email lists were compromised in the breach of email marketing service provider Epsilon.

As Rich Mogull points out, it’s also interesting that in addition to current customers, Epsilon seems to be retaining (and, you know, losing) data from former customers, as well.

Quick Takeaway
We thought we’d wade in to the news story with some information for analysts to give to investigators and others who might get worried phone calls, but up front let us say this: if we can believe company statements (see below) the breached lists are limited to name and email address.

If this is true, then the damage suffered by customers is probably limited to hand-wringing mea culpas from the people with whom we do business. Oh, and it will mean more spam for all of us.

A nicely compiled list is available from the friendly folks at and includes Ameriprise, Barclay’s L.L. Bean Visa card, Best Buy, Brookstone, Capital One, Citi, College Board, Fry’s, Home Shopping Network (HSN), JPMorgan Chase, Kroger, Marriott Rewards, Ralphs, Hilton Honors, Red Roof Inn and Ritz-Carlton Rewards (these last three raising some interesting questions about birds-of-a-feather), Target, TD Ameritrade, Walgreens and many, many more (read more Rich Mogull on the same concept at Securosis).

And Rising Spammer Stock Value (Why They Do It)
As Rik Ferguson pointed out in our PLI Podcast, spammers love fresh addresses and they use contextual data (like the retailer or firm from which the name was harvested) to enrich the value of their mailing lists. At the end of the day, more spam isn’t going to mean much to most customers, since the total volume of Internet spam is so fantastically great that this is no great shakes.

But Brian Krebs (who spoke with us specifically about targeted email attacks, or spear-phishing, on the PLI Podcast recently – as did Mike Murray, who went into some specifics about how attackers perform reconnaissance and target police officers) wrote on Krebs on Security that the amount of information obtained in the breach was sufficient to launch new waves of spearphishing campaigns.

At the very least, there’s a lot of data out there. According to Reuters, this may be the largest breach in history.

Speaking of spam
Or rather, speaking of commercial email, Epsilon (“And with our world-class deliverability team, our deliverability rates are 10 points higher than average, ensuring your emails reach your intended recipients!”gushes Epsilon’s website) claims that it is able to process, on behalf of its customers, more than 15 million dynamic messages in one hour, or more than 40 billion emails a year.  Epsilon said that the breached email lists comprised 2% of the firm’s clients (see below). .

That’s a whole lotta email. World-class, Epsilon, world-class.

Neither the breach nor the type of loss are particularly novel; recently email service provider Silverpop was similarly punked, leading to loss of email lists from sites including

Epsilon’s modestly hostile and clearly overworked PR person Jessica tells us that the entirety of its public statement is:

On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

leaving us to just speculate about the breach. Jessica (the kind of PR person? Who makes every sentence a question?) tells us that she won’t comment on anything other than the statement above and that the firm is cooperating with investigators. Which agencies? No, I can’t tell you that (CBS News says that it involved the US Secret Service).