Hit By the Epsilon Security Breach? Here's How to Protect Your Personal Information

If you're a customer of Best Buy (BBY), Citigroup (C), or any one of the 2,200 global brands that relies on email marketing giant Epsilon, you may have received a rather alarming notice over the weekend. Epsilon has reported a security breach that may have compromised your email address and name.

While it may at first sound like the identity thieves walked away with very little, the potential for damage can be great, say security experts. For example, armed with your name, email address, and the name of a company with whom you do business, identity thieves can send an authentic-looking but bogus Best Buy email asking you to supply your credit card information or other personal information. This can later be used to pilfer your financial accounts.

Security experts note, however, that consumers can take a number of actions to safeguard their personal information in the wake of the Epsilon hack attack.

"Most likely this information will be used for phishing attacks. If they know the email list you subscribe to, it's more likely they can write a convincing email to deceive you," says Thomas Kristensen, chief technology officer for security software firm Secunia.

First and foremost, when receiving an unsolicited email, do not immediately click on the link or open the attachment contained in the email. The link can take you to a nefarious website, which can infect your computer. Or the attachment may download software that will track your computer keystrokes -- including the passwords you type.

What You Can Do

Here are some steps consumers can take when receiving an unsolicited email, according to Kristensen:
  • Open a new browser and visit the website that supposedly sent the email; check to see if it's promoting the same offer that has been sent to you unsolicited;
  • Mouse over the link contained in the email and look at the lower left corner of the screen to see if the domain name matches the company that is purportedly sending the email;
  • If you must click on the link, once it's open it should still show the same domain name. If it doesn't -- and it asks you for financial information like a bank account number or social security number, do not provide the information. If the opened link now has a different domain name, although it's not requesting financial information, the identity thief may have opted to infect your computer with a virus instead.
  • Best advice of all is to avoid clicking on links or opening attachments placed in unsolicited emails.
  • And, finally, keep your security software updated.
Best Buy and McKinsey Quarterly, two Epsilon clients that were affected by the email security breach, issued their own warnings to customers. Best Buy says in its email:

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our
customers, that files containing the email addresses of some Best Buy customers
were accessed without authorization.

We have been assured by Epsilon that the only information that may have been
obtained was your email address and that the accessed files did not include any
other information. A rigorous assessment by Epsilon determined that no other
information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We
ask that you remain alert to any unusual or suspicious emails. As our experts at
Geek Squad would tell you, be very cautious when opening links or attachments
from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to
provide or confirm any information, including credit card numbers, unless you
are on our secure e-commerce site, www.bestbuy.com. If you receive an email
asking for personal information, delete it. It did not come from Best Buy.

And McKinsey Quarterly told its clients:
We have been informed by our e-mail service provider, Epsilon, that your e-mail
address was exposed by unauthorized entry into their system. Epsilon sends
e-mails on our behalf to McKinsey Quarterly users who have opted to receive
e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was
your first name, last name and e-mail address and that the files that were
accessed did not include any other information. We are actively working to
confirm this. We do not store any credit card numbers, social security numbers,
or other personally identifiable information of our users, so we can assure you
that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We
want to urge you to be cautious when opening links or attachments from unknown
third parties. Also know that McKinsey Quarterly will not send you e-mails
asking for your credit card number, social security number or other personally
identifiable information. So if you are ever asked for this information, you can
be confident it is not from McKinsey.

When consumers receive emails that appear questionable, Kristensen advises consumers to forward the email to the company's customer service or security department.

"Most companies would like to know," Kristensen says. "And if they are in fact legitimate but people think they're not, that will also tell them they have to do a better job in presenting the information."

Other companies affected by the security breach include Citigroup, J.P. Morgan Chase (JPM), Barclays (BCS), U.S. Bancorp (USB) and Capital One Financial (COF), according to a Wall Street Journal report. And, according to an Orlando Sentinel report, Disney Destination (DIS) was also affected.

Epsilon, which issued its warning Friday, said it detected the security breach on March 30 in a subset, or portion, of Epsilon clients' customer data. The company noticed the email addresses and names of customers were exposed via an unauthorized entry into its email system.

Increase your money and finance knowledge from home

Asset Allocation

Learn the most important step in structuring an investment portfolio.

View Course »

Understanding Stock Market Indexes

What does it mean when people say "the market is up 2%"?

View Course »

Add a Comment

*0 / 3000 Character Maximum


Filter by:

who would be stupid enough to respond to an email asking for credit card info from ANYONE? i have the email addresses from which i will accept email on my "freinds" list, the rest goes in the spam bucket where it is trashed, no problem!

April 05 2011 at 8:42 PM Report abuse rate up rate down Reply

What is being done other than a canned general Sorry. I also got E-mails from HSN, Disney, Target and Chase. This is ridiculous!

April 05 2011 at 4:54 PM Report abuse rate up rate down Reply

I agree, and am infuriated. Already today, I have had to unsubscribe from dozens of e-mail lists, which takes valuable time out of my day. My main gripe is that nothing is being done about it. My personal information has been leaked by Google Buzz, Walgreens and AvMed, all within two years, and all I've gotten in return is an electronic apology. Gee, thanks!

April 05 2011 at 4:20 PM Report abuse -1 rate up rate down Reply

I blame the companies that did business with this behemoth. I abided with the privacy requirements when I signed up to do business with these people and they violated my rights. I've received emails from Hilton Honors, from Marriott, from Best Buy, from Target, Walgreens, 1800 Flowers, and others so far. These people did not have my permission to give my email address to a third party.

I WILL not do business with these people ever again after this.

April 05 2011 at 4:03 PM Report abuse -1 rate up rate down Reply
DJ McCloskey

I received a warning email from Chase Bank!

April 05 2011 at 12:25 PM Report abuse rate up rate down Reply

Why are these companies passing around my name and email address period. I did business with Walgreens and 4 other companies that were breached, I have never heard of epsilon. What reason on god's green earth do they have to give my name and email address to some fly by night elison company. I think all (5) of these companies that gave my name to epsilon should be sued and epsilon al well. That would remedy this situation before another tom dick and harry store passes on customer information without permission.

April 05 2011 at 12:19 PM Report abuse +1 rate up rate down Reply
1 reply to mt1975's comment
Bobby Gallahar

Most every company uses a third party email relay service such as epsilon. The companies servers are typically loaded with having to maintain websites and day to day operations. Having to send out mass emails to their email lists would tax their servers beyond usability. Companies such as constant contact and epsilon have servers dedicated to doing nothing but mass email mailings. While this practice might not be "kosher" in the eyes of the public, we would be even more outraged if we could not access our favorite stores website cause the servers were busy sending out an email promotion to the hundreds of thousands of email subscribers. These companies send out an email to every address in an authorized list. It send the email out, that many times. This prevents a mass "cc" mailing that would expose your email to other recipients. Go ahead, and boycott the companies if you wish, however, if you check with other companies whose email lists you are on, I am sure you will find that they too are doing the same thing.

August 20 2011 at 12:10 AM Report abuse rate up rate down Reply

Kroger is also handled by Epsilon. I received a warning email from them, too.

April 05 2011 at 11:21 AM Report abuse rate up rate down Reply

They don't want us to worry about all our medical information being online? Pretty scary if you ask me.

April 05 2011 at 10:15 AM Report abuse rate up rate down Reply

i called target after having second thoughts about the email i received from them. it is a scam. i dont give out my credit card number or order online. target gave me a runaround re same. they switched me to 4 different people & finally instead of connecting me t o someone, just hung up on me. i finally spoke to someone in lower management who knew what was going on. i would love to see the ceo of target in undercover boss. i wont shop there again.

April 05 2011 at 10:15 AM Report abuse +4 rate up rate down Reply

a total list of businesses involved in the breach would be helpful.

April 05 2011 at 9:11 AM Report abuse +3 rate up rate down Reply