But Friday, this subsidiary of Plano, Tex.-based Alliance Data Systems issued a news release warning that “a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.” The firm said that it discovered the problem Thursday and that it had since determined that only e-mail addresses, names or both had been exposed by the breach.
Since then, Epsilon’s clients — to name several in a long list, Best Buy, Capital One, Chase, the College Board, Disney, Hilton, Walgreens, Target and TiVo — have been e-mailing customers to let them know that their names, addresses or both were among those compromised. The number of affected people could easily reach tens of millions.
A recipient could be forgiven for thinking that all of Corporate America has been using this one, hitherto-invisible company to stuff his or her inbox with newsletters, pitches and other commercial come-ons.
Despite doing business with at least two Epsilon clients, I have yet to get one of the apology e-mails. My colleague Hayley Tsukayama received one such “we apologize for any inconvenience this may have caused you” note from U.S. Bank on Saturday. That message clarified that “we want to assure you that U.S. Bank has never provided Epsilon with financial information about you.”
Best Buy’s apology has already become infamous for plugging its troubleshooting service: “As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.”
All those notes, however self-serving they might be, make one important point: Although Epsilon’s error might have made your e-mail address more public than before, other data about you is not.
That makes this a much smaller problem than past data breaches such as the General Services Administration’s 2010 exposure of the names and Social Security numbers of all its 12,000 employees, or the long series of screwups that saw tens of millions of credit-card transactions compromised in the last five years alone.
Compared with that sorry record — and in light of the near inevitability of an e-mail account getting spammed — Epsilon’s error looks like a minor flub.
But if you have been using only one account for all of your correspondence, instead of the more advisable policy of employing a secondary address for online shopping and bill payment, this could be more of an annoyance.
It might also aid the authors of “spear phishing” messages that try to trick recipients into entering financial login information at phony sites by addressing them by their real names. That could make all of us a little more skeptical about e-mail pitches, even if they seem to be from companies we know, which could become a fitting punishment for Epsilon.