Dozens of major corporations sent notices to consumers Monday morning saying that their names and e-mail addresses might have been obtained by hackers who attacked an e-mail marketing firm’s database last week.
According to a press release on Epsilon’s website, a security breach was detected on Wednesday as “a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s e-mail system.”
Epsilon clients who have reported being affected include Cincinnati-based Kroger Co., Target, JPMorgan Chase, U.S. Bancorp, Citigroup, Best Buy Co., Walgreens and TiVo.
When contacted by telephone, Epsilon press contact Jessica Simon said the company is working with authorities on an investigation into the breach and couldn’t comment further.
Despite the broad expanse of the breach, some students weren’t concerned about their information.
“What is someone going to do with my e-mail? It’s not important. I only check it once a week,” said Seth Martin, a third-year in business.
Others weren’t aware of the breach.
Unlike the data breach Ohio State experienced last fall, Epsilon is reporting that the hackers were only able to obtain names and e-mail addresses, which means the biggest concern for affected customers is phishing — when hackers imitate a trusted company and attempt to get sensitive personal information through e-mail.
“Since the hacker will have both your e-mail address and will know your real name and the companies that you have done business with … you could be lured into giving them personal information because you have given (the companies) online information before, and you figure it is just a legitimate e-mail contact,” said Paul Stephens, director of policy and advocacy with Privacy Rights Clearinghouse.
Stephens said it is uncommon for hackers to only get names and e-mail addresses. Last December, OSU revealed a data breach that occurred in October in which hackers accessed names, social security numbers, dates of birth and addresses of about 760,000 current and former faculty, students, applicants and other university-affiliated people.
The College Board, a company that runs the SAT and AP tests as well as other college application resources, was among the companies affected by the breach of Epsilon’s e-mail system.
“Sensitive information such as Social Security numbers and credit card information were not stored in this system and were not at risk,” said Peter Kauffmann, vice president of communications for College Board in an e-mail to The Lantern. “We are conducting a thorough investigation into this matter and will continue to update those who may have been affected.”
The proper way to give any company personal information is by going directly to their website, calling a phone number you know to be accurate or by writing to the company. Don’t ever respond to open e-mails requesting personal information, Stephens said.
Jenna Backus, a third-year in strategic communications, said she already deals with phishing and spam so she isn’t worried about this breach.
“I block spam and weird usernames,” Backus said.
Amy McCormick, a spokesperson for the Kroger Co., said they have been contacting all of their customers and reminding people to use everyday online safety measures.
“We are reminding our customers to not open e-mails from people that they do not know,” McCormick said. “We also advise them that Kroger would never ask them for any personal information, such as credit card numbers or Social Security card numbers, and if they were to receive such a request and it did not come from Kroger, they should delete it.”
Kroger customers can call 1-800-576-4377 if they have concerns about the data breach or wish to report phishing or spam to their account.
Epsilon has yet to release a full list of its clients who were affected or a number of e-mail accounts that were obtained, but some sources are reporting that the breach is shaping up to be the largest in history.
“Epsilon is a very large company; they have over 2,500 clients and at this point we’re not clear how many of those clients have actually been impacted,” Stephens said. “I would imagine that the list will grow as the day goes on.”
By Monday evening, DataBreaches.net had published a list of 37 companies that the breach impacted.
Janelle Cooper contributed to this story.