The Epsilon Breach: How Worried–and Angry–Should You Be?

So “someone just stole your email address.” What now?



By now, unless you keep your money under your mattress and don’t shop for groceries, electronics, or clothing, you’ve probably received an email from one of the following institutions, apologizing for an email breach: Brookstone, Best Buy, The College Board, Citi, Walgreens, Disney Destinations, McKinsey & Company, the Home Shopping Network, JPMorgan Chase, TiVo, Kroger, Captial One…the list goes on. (And was diligently collected by SecurityWeek.) The email will have informed you of a security breach.

The same company, Epsilon, handles email services for all the brands mentioned above, and many more. Epsilon sends something like 40 billion emails each year on behalf of its 2,500 clients. Yesterday, Epsilon said about 2% of its clients–some 50 brands–were affected by the breach.

What began with a trickle of coverage–a tiny peep of a press release, a post or two on SecurityWeek and Mashable–erupted into a flood of media, with NPR’s Planet Money announcing yesterday: “Someone Just Stole Your Email Address.”

Reached for comment today, an Epsilon spokesperson was tightlipped, saying only that Epsilon was conducting a full investigation and working with authorities. She declined to respond on the record to questions about the nature of the attack, who Epsilon was working with, or how Epsilon might work to prevent further breaches.

Since Epsilon won’t comment, we found someone who would: phishing expert Jason Hong, a computer scientist at Carnegie Mellon. “Regarding the Epsilon breach, at this point we can only speculate about what will happen since we don’t know who took the data and why,” he says. Various possibilities: it might be “script kiddies” (amateur hackers out for fun or bragging rights), or it might be more sophisticated hackers who want email addresses for spamming purposes. Or it could be a rival of Epsilon out to embarrass them. “It’s also possible that hackers thought there was more information on Epsilon’s servers, but didn’t find anything interesting,” says Hong.


“The most obvious outcome is that we will get a lot more apology emails in the next few weeks,” he continues. “So far, all the ones I’ve seen say the same thing, about how a breach happened, and that the attackers have your name and email address but no other sensitive information. Some emails also have information about how to avoid phishing attacks and other scams, but as we’ve seen in past research, just telling people how to protect themselves is not very effective.”

How big of a deal is the attack? Epsilon emphasizes that only email addresses and names were compromised–not financial information or anything deeply compromising. Still, the breach is worrisome, because it gives hackers a stronghold from which to launch targeted phishing attacks. Someone with malicious intent now has reams of names and active email accounts, potentially also coupled with information about which particular brands they have relationships with. A clever phishing attack might mimic the design of a Citibank communication, for instance, and send it to a Citi customer, addressed by name, together with requests for account information. These so-called “spear-phishing” attacks are more likely to succeed than generic attacks, says Hong. He calls this “the most worrisome” possible outcome.

Phishing attacks are nothing new, and if you remain on guard, you shouldn’t be at danger. But a certain percentage of phishing attacks do work, on the unitiated, uneducated, or inattentive–which makes the volume of this breach especially significant.

How did the attacks happen? Epsilon’s not saying, so we have to guess. Hong says he’s willing to bet it didn’t take a whole of firepower. Most likely, he says, “it was a simple breach, using a phishing attack or some standard SQL injection attack. The sad state of affairs in computer security is that relatively simple
attacks are still quite effective.”

Who should you be mad at? The email you received from your trusted brand will have made that clear: Epsilon. In breaches like these, there is a time-honored tradition of buck-passing: our subcontractor did it. Many users are probably startled to learn that their trusted brand doesn’t handle its own email at all.  Byzantine back-end relationships, opaque technological infrastructure, and complicated corporate structures (Epsilon is just part of a larger parent company, Alliance Data, which is expected to release more information about the breach today), mean that when you give your information to a brand you trust, you’re also giving it to other ones you’ve never heard of.


At least, until events like these happen.

Follow Fast Company on Twitter. Email David Zax, the author of this post.

Read More: Which iPhone Apps Are Tracking You?

About the author

David Zax is a contributing writer for Fast Company. His writing has appeared in many publications, including Smithsonian, Slate, Wired, and The Wall Street Journal