Three days after an email service provider notified clients that its systems were compromised, affected businesses continue to emerge.
A growing list of companies – including Capital One, U.S. Bank, Citigroup, JPMorgan Chase and Barclays Bank of Delaware – currently are notifying customers that hackers have stolen their email addresses.
All the companies use the Dallas-based email service provider, Epsilon, which on Friday revealed that hackers gained unauthorized entry to its email system to steal its clients' customer data.
The breach also affects a number of well-known retailers and hospitality companies, including Brookstone, Disney, Fry's, L.L.Bean, Marriott Rewards, New York & Co., Ritz-Carlton Rewards, The College Board, The Home Shopping Network, TiVo and Walgreens, according to reports and breach notification letters.
The stolen information includes email addresses and customer names, according to Epsilon's statement. No Social Security numbers or financial information were compromised.
It is unclear how hackers successfully infiltrated Epsilon's network or how many email addresses were involved.
Many of the affected businesses began notifying customers over the weekend about the incident. Customers may receive an increase of spam as a result of the breach, according to several notification letters.
The data could also be used to perpetrate socially engineered attacks, Richard Mackey, vice president of consulting at SystemExperts, told SCMagazineUS.com on Monday. With the knowledge that a particular user did business with a certain company, an attacker would be able to craft real-looking phishing scams.
“Most effective phishing attacks are the ones that have legitimacy,” Mackey said. “The more authentic and targeted they are, the more convincing they are.”
Users should be especially cautious when opening links or attachments from unknown third parties in light of the incident, affected brands have warned their customers.
The breach also extends to a number of supermarkets, including City Market, Dillons, Food 4 Less, Fred Meyer, Jay C, King Soopers, Kroger, QFC and Ralphs, according to reports.
Epsilon said it detected the breach on Wednesday. Epsilon is the world's largest "permission-based" email marketing provider and sends more than 40 billion emails each year, according to the company's website.
The incident mirrors a similar attack, disclosed in December, against Atlanta-based email marketing services firm Silverpop Systems. That breach affected a subset of Silverpop's clients, including McDonald's and social media site DeviantART.
SystemExperts' Mackey said these breaches illustrate the importance of ensuring that third-party service providers that are trusted to maintain a company's information can do so securely.
Before handing over information to third parties, organizations must assess the risks associated with that data and ensure it will be adequately protected, he said. Organizations must then maintain an active relationship with service providers to ensure their protection mechanisms are in line with industry standards.
The organization also should be prepared to react in case of a breach, Mackey added.
Many security rules and regulations require organizations to ensure that their third-party providers exercise due care to protect personal information.
Epsilon and its affected customers, however, likely did not violate any laws because the stolen information was not connected to any other identifying data, such as Social Security or credit card numbers, Mackey said.
“It is admirable, in a sense, that the organizations did make this announcement that the information was compromised, even though they weren't forced by regulation to do so,” he added.