Customer data has been hacked at a major marketing firm. The security breach at Epsilon involved corporate clients, many of them household names, including JPMorgan Chase, Citibank, Walgreens and Disney.
On Friday, the Irving, Texas-based Epsilon announced "an incident" of unauthorized entry was detected on March 30. It said the information obtained was limited to e-mail addresses and customer names -- potentially in the millions -- and a "rigorous assessment" determined that no other personally identifiable information was at risk.
Best Buy, L.L. Bean, Marriott
Epsilon's clients have been alerting their customers to be wary of phishing, or fake e-mail offers that ask users to supply personal information, click on links leading to malicious web sites, or download attachments that could contain viruses. Phishing attempts try to steal account numbers, passwords or other information by pretending to be from a familiar company or friend.
Other Epsilon clients include Kroger, Barclays Bank, U.S. Bancorp, Marriott, Ritz Carlton, Best Buy, L.L. Bean, Home Shopping Network, and TiVo. Epsilon has about 2,500 customers, but the company said only about two percent were affected. It didn't give details about the security breach.
Epsilon's services include database development and management, marketing analytics, and e-mail services. The company sends an estimated 40 billion e-mails each year for its clients.
Corporate data has become a favorite target for hackers. According to a report released late last month by McAfee and Science Applications International, stealing personal information from individuals is much less of a target for cybercriminals than targeting corporate data -- which, as in Epsilon's case, could include millions of records of personal information from individual customers. Corporate target can also include company trade secrets, legal documents, source code, and other confidential data.
In addition to technical barriers and monitoring, the report found that the location of data storage also impacted its safety. Three countries in particular are considered the least safe for data storage -- China, Russia and Pakistan -- while the U.S., Germany and the United Kingdom are considered safest. Epsilon hasn't indicated where its data was stored.
Security breaches are also happening at companies whose core business is data security. For instance, RSA Security, makers of SecurID and one of the country's leading security firms, recently announced that hackers had "extracted" data related to SecurID.
In its announcement, RSA said its security systems had identified "an extremely sophisticated cyberattack in progress," to which it responded with "a variety of aggressive measures."
It described the attack as being in the category of advanced persistent threat, a term that can be used to describe breaches involving professional, organized hacking, such as from corporate espionage, other countries, or criminal organizations.