Millions warned over substantial email data theft
Millions of customers of major brands are being warned they can expect to be bombarded with spam email after hackers stole a large database of their details.
Barclaycard, Citigroup and a subsidiary of Amazon are among the firms affected by the breach at Epsilon, an online marketing firm based in Dallas, Texas.
Epsilon said the hackers broke in on 30 March.
“An incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system,” it said.
The firm added that an investigation is underway and that only email addresses and some names had been exposed, rather than information that could be directly used in financial crime.
“The information that was obtained was limited to email addresses and/or customer names only,” Epsilon said.
Nevertheless, the data theft is likely to be among the biggest in history.
The firms affected - which also include Capital One, JP Morgan Chase, the Marriot International hotel group and the huge US supermarket chain Kroger – are warning customers their email addresses could be used to target a more serious attack.
AbeBooks, an Amazon subsidiary that specialises in rare books, told its customers via email: “As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail.
“Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.”
Such “phishing” attempts could be more convincing as a result of the information stolen from Epsilon, experts said. Victims are typically directed to a counterfeit website that asks, for example, for online banking login credentials.
Paul Ducklin of UK security firm Sophos said: “Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely.
“That, in turn, can make their fraudulent correspondence seem more believable.”
Epsilon did not release any details of how the hackers broke into its systems but said it was cooperating with law enforcement authorities.
A spokesman for Barclaycard said that only its US customers' names and email addresses had been stolen.