Walgreens, Chase, TiVo warn of email breach

By Dow Jones Newswires-Wall Street Journal
Posted April 4 at 11:47 a.m.

A data breach at one of the world’s largest providers of marketing-email services may have enabled unauthorized people to access the names and email addresses for customers of major financial-services, retailing and other companies.

While no financial information was compromised, the major concern is that the emails and names could be used for “phishing,” that is, phony emails asking unsuspecting consumers to divulge information such as account numbers, log-ins or Social Security numbers.

As a result, companies were warning customers that they don’t ask for personal information, like credit-card and Social Security numbers, via email.

On April 1, Dallas-based Epsilon, a subsidiary of Alliance Data Systems Corp., said that on March 30, “A subset of Epsilon clients’ customer data (was) exposed by an unauthorized entry into Epsilon’s email system.

“The information that was obtained was limited to email addresses and/or customer names only,” the company said, adding that “no other information associated with those names was at risk.” The company said an investigation is under way.

Citigroup Inc., one of the affected companies, said it had been told by Epsilon that the information was limited to names and/or email addresses of some North American credit-card customers “and no account information or other information was compromised.”

J.P. Morgan Chase & Co., Barclays PLC, U.S. Bancorp and Capital One Financial Corp. also alerted their customers to the incident.

“As you can imagine, the email that is going out now isn’t going through Epsilon,” one bank representative said.

Walgreen Co., New York & Co. and Kroger Co., also said they were informed by Epsilon that files related to their customers might have been exposed.

SecurityWeek, which follows the Internet- and enterprise-security industry, said other companies affected included

– Ameriprise Financial

– Best Buy

– Brookstone

– Capital One

– Citi

– Disney Destinations

– Home Shopping Network

– JPMorgan Chase

– Kroger

– LL Bean Visa Card

– Marriott Rewards

– McKinsey & Co.

– New York & Co.

– Ritz-Carlton Rewards

– TiVo

– The College Board

– US Bank.

Read more about the topics in this post: ,

Companies in this article

Walgreen Co.

Read more about this company »


  1. 007 April 4 at 9:39 a.m.

    I’m not saying that this happened because these companies contracted out to a third party, but it would have been a lot harder to hack into all of them so quickly if the hackers had to go into each company’s systems to get the data rather than to one contractor’s site.

  2. Tom Callahan April 4 at 11:36 a.m.

    With all the tax incentives to set up shop in Texas you would think this Epsilon outfit would use that extra cash to strengthen and harden their security. I’m sure we’ll find out they used the extra cash to pay out executive bonuses, pay out dividends, and/or to buy back outstanding stock.

  3. Leonard Hamilton April 4 at 11:39 a.m.

    Most banks and financial institutions have always felt that anything IT related does not bring in money and should be outsourced. These type of attacks occur on a daily basis and will only get worse. Not saying that home grown employees would have prevented this but it would provide much better security. How much is your data worth?

  4. Jacey April 4 at 12:15 pm

    Another inconvenience that could have been prevented. Don’t you feel like a valued customer now?

  5. lotboy25 April 4 at 12:38 pm

    so what we have here is one outfit that spams eveyone being hacked by other who will spam everyone, thus doubling the amount of spam we’ll receive.
    Unless of course there was more than email addresses taken.

  6. Robt April 4 at 12:45 pm

    Just goes to show that no system is secure and that no matter what safeguards are put in place there is always that slight chance of breach. One has to wonder though if they got this far what is to stop them from trying even harder to get even more data? What steps are they taking to prevent the next attack? I for one have received ten notices on this from various vendors and now wonder when the SPAM will start to hit…not that one would notice seeing that my SPAM box fills up 10:1 over my mailbox these days (but troublesome nonetheless as you still need to sort through it for the legitimate ones that do get blocked).

  7. Michelle April 4 at 1:20 pm

    Add Robert Half to the list – I got an email from them about it yesterday.

  8. RegularGuy April 4 at 2:22 pm

    Add US Bank and Kroger Foods to the list of companies who have had their customers email data hacked and stolen.

    Unless companies start treating this information as valuable, customers are going to stop signing up for merchants’ affinity programs.

  9. Ron Jon April 4 at 2:24 pm

    Tom Callahan, a simple trip to Epsilon’s website will show you that they also have offices in Atlanta, Boston, Cincinnati, Denver, Detroit, New York, San Francisco, St Louis, Washington DC, Toronto, and right here in Schaumburg.

    Man, you can’t read any article now a days without hearing from some lazy class war kook.

  10. LeRoy Johnson April 4 at 3:33 pm

    I’m closing my accounts in ALL of the above mentioned businesses.
    ENOUGH already !!!

  11. Winski April 4 at 3:39 pm

    At, 11:15am pdt TODAY, I spoke with the branch manager of my local US Bank field staff.. She indicated that 1) She had received the same email that I got from the bank saying that an external marketing firm the bank used to do some of their mass marketing saying that they got hacked and customers should be suspect of ‘new’ spam the customer may receive soon; 2) that if I wanted more info, I should call the number included in the email… struck me as odd from a Branch Manager of the bank who, according to her ‘had been briefed via conference call THIS MORNING.., and 3) She said directly, that US Bank DID NOT RELEASE my name and email to Epsilon and that the bank was looking into how Epsilon got the data… As we find now – a LIE.

    SO, I called the number in the email.. After talking briefly to the front line customer service, I got ‘transferred’ to a manager… So I waited the 5 minutes and then got transferred right back to the same folks that sent me to the managers… (Circular system jerk-around).. I finally got to the ‘manager’ level in Customer service with US Bank… He told me that in fact the bank DID use Epsilon as a third party marketing firm – a direct contradiction to what the front line manager told me, and that my name could be taken off ALL lists (opt-out) of being on ANY bank-shared lists…. If that happens – great..

    The message of this irrational rant is, if this HACK at Epsilon exposes YOU to external spamming and Phishing and YOU DID NOT GIVE THE COMPANIES PERMISSION TO SELL OR GIVE AWAY YOUR NAME/EMAIL-ADDRESS, the COMPANIES ARE LIABLE for any damage to you if you didn’t give them permission to use your data…


  12. alaina April 4 at 6:56 pm

    They’re hiding the real story here. They sold our email addresses and personal information for some big bucks, but are trying to make it sound like a ‘hacker’ got them.

  13. Deprogrammer9 April 4 at 9:49 pm

    Odds are they sold your information for millions & millions then played stupid & blamed the evil hackers. Easy money & no one can stop them.

  14. Sarah April 5 at 1:29 pm

    Well, now I have a trojan virus on my computer the very same day that I received the emails from numerous retailers as mentioned. My favorites all disappeared from IE, many desktop icons went missing, music/pictures/files – GONE..?! I have antivirus software, albeit free, avast!, however, it gave a warning that a Trojan was found and isolated, but then my computer is a mess now.. I am worried. Going to have to change tons of passwords which really SUCKS.