SAN FRANCISCO (CNET / CNN / AP) — With the theft of millions of e-mail addresses from the world’s largest “permissions-based” e-mail marketing company, Epsilon, several large firms have started warning customers to expect fraudulent e-mails that try to coax account information from them.
Epsilon, which has offices in San Francisco, said that someone hacked into its computer system and stole an unknown number of e-mail addresses and names last week.
The scope of the breach was potentially huge, with financial-service companies such as Capital One Financial Corp., Barclays Bank, U.S. Bancorp, Citigroup Inc. and JPMorgan Chase & Co. and retailers including Best Buy Co., TiVo Inc. and Walgreen Co. coming forward Monday to say that their customers had been affected.
Epsilon said it sends 40 billion e-mails per year on behalf of its 2,500 clients and Reuters called this potentially “one of the biggest such breaches in U.S. history.”
Epsilon released a statement over the weekend indicating that on March 30 it detected an “unauthorized entry” into its system that exposed customer names and e-mail addresses. The company said “no other personal identifiable information associated with those names was at risk.”
Both Chase and Capital One posted notices about the breach on their Web sites, and both also said financial data, and any other data apart from names and e-mail addresses, did not appear to be at risk.
While there’s little fear that identities could be stolen because of the huge leak of e-mail information alone, security experts did worry about a malicious form of spam called “targeted phishing” or “spear phishing.” These terms refer to fake e-mails that try to look real because the scammer knows something about you.
“This data breach is going to facilitate that in a big way. Now they know which institution people bank with, they know their name and they have their email address,” said David Jevans, chairman and founder of the non-profit Anti-Phishing Working Group.
Experts said a scammer could design a fake e-mail, purporting to be from one of the companies whose customer data was stolen, that might ask you for sensitive information, like a Social Security number or bank account number. If you divulged that kind of personal data, you could become a victim of identity theft.
Both Chase and Capital One issued cautions in the statements on their sites that they would never ask customers to e-mail personal information such as credit card numbers or social security numbers.
(Copyright 2011 by CBS San Francisco. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. Wire services may have contributed to this report.)