Skip to navigation
Latest News

Massive hack hits US banks and retailers

shadowy hand

By Reuters and Nicole Kobie

Posted on 4 Apr 2011 at 08:20

The names and emails of customers of Citigroup and other large US companies were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.

In what could be one of the biggest such breaches in US history, a diverse range of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.

Walgreen, TiVo, credit card lender Capital One and teleshopping company HSN all added their names to a list of targets. JPMorgan Chase, the second-largest US bank, and Kroger, the biggest US supermarket operator, said that some customers were exposed as part of the Epsilon data breach.

Epsilon, an online marketing unit of Alliance Data Systems, said that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion email ads and offers annually, usually to people who register for a company's website or who give their email addresses while shopping.

Some of Epsilon's other clients include Verizon, Hilton Hotels, Kraft Foods, and AstraZeneca.

Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely

"We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorised individual or individuals," HSN, also an ecommerce operator, said in an email to customers.

"This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."

Law enforcement authorities are investigating the breach, though it was unclear how many customers had been exposed. Epsilon is also looking into what went wrong.

"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."

Cloud problems

Paul Ducklin, head of technology for Sophos, noted that email address leaks were not seen as a "cardinal sin" among companies, but would lead to an increase in spam to affected accounts.

"Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely," he noted in a blog post. "That, in turn, can make their fraudulent correspondence seem more believeable."

As Epsilon is essentially a cloud-based email contractor, he said firms should take note that moving to the cloud could have security implications, saying "sometimes, keeping your own skills and abilities factored in to your organisation's security equation can pay off". was faced with a similar problem, after its email marketing firm leaked customer data last month.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Governments need to get a grip

Seriously, legislation needs to be much tighter than it is now. You give your details to a company and they seem to take ownership of your information and think they can do as they see fit with it. Regulations need to be tightened so that companies must treat your data with respect - not share it, not sell it and store it securely. If I were to take certain information from my employer and allow it into the public domain I would be in serious trouble. If a company takes mine and mislays it...."oops, sorry"

By everton2004 on 4 Apr 2011

Legislation needs to be much tighter

The legistlation is already there. It's called the Data Protection Act. However, the problems are (1) it's not enforced and (2) it doesn't apply to countries outside of the UK.

By Stiggy on 4 Apr 2011

Banks and CR*P

The vendor sends more than 40 billion email ads

If only about 2 Billion people in the world are on line, we know where all the cr*p comes from..

By lenmontieth on 4 Apr 2011

Leave a comment

You need to Login or Register to comment.



Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.