Data breach exposes millions to phishing scams

Online inboxes nationwide are expected to face a wave of phishing attacks and extra spam after a data breach at a marketing company exposed the names and email addresses of millions of clients of high-profile banks and retailers, reports said Monday.

Epsilon, an Irving, Texas-based marketing firm that develops and manages databases and offers marketing analytics and delivery services such as email communications, issued a statement Friday warning of the data breach, which the company said happened Thursday.

Companies affected by the breach include grocer Kroger Co., drugstore chain Walgreen, electronics dealer Best Buy, and banking giants JPMorgan Chase, U.S. Bancorp, Citigroup, Capital One and Barclays Bank. The Associated Press said the College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.

The Guardian called the hack "one of the largest Internet security breaches in U.S. history."

"A subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," Epsilon said in its one-paragraph statement.

Epsilon said although hackers got email addresses and names, "a rigorous assessment" determined that they didn't get credit card numbers, account numbers or passwords. The company said an investigation is under way.

News outlets said affected companies, which also included DVR company TiVo, cable TV's Home Shopping Network, catalog retailer L.L. Bean, Walt Disney Co. subsidiary Disney Destinations, and hotel chains Marriott and Ritz-Carlton, have started warning customers to look out for "phishing" frauds, email messages that purport to be from legitimate businesses but are intended to steal information like account numbers or passwords.

Epsilon handles 40 billion permission-based emails annually on behalf of its 600-plus clients, Reuters said. Epsilon told The New York Times that the breach affected about 2 percent of its clients. The company wouldn't tell the Times how the hack happened or why the email addresses weren't encrypted.

David Jevans, chairman and founder of the nonprofit Anti-Phishing Working Group, told The Associated Press that criminals have been moving away from indiscriminate phishing and toward more intelligent attacks known as "spear phishing," which rely on having more intimate knowledge of the victims.

"This data breach is going to facilitate that in a big way," Jevans, who is also the CEO of security company IronKey Inc., told the AP. "Now they know which institution people bank with, they know their name and they have their email address.

"You're not going to see typical phishing where 90 percent of it ends up in spam traps and is easily detected," Jevans added. "This is going to be highly targeted."

The AP said the scale of the data breach meant many people received warnings from multiple companies over the weekend.

Jill Kocher of Crystal Lake, Ill., for example, told the AP she got at least five emailed warnings, including from U.S. Bank, Best Buy and New York & Co.

Because she works for Internet coupon company Groupon, Kocher said she feels savvy enough to avoid any phishing come-ons. But she fears for those who aren't.

"U.S. Bank sends you an email and it looks legit and you cough up the information, and now you're in big trouble," Kocher said. "It sure does sound like a big increase in fraud, just waiting to happen."

Epsilon is a unit of Alliance Data Systems Corp. of Plano, Texas. The breach apparently worried investors Monday -- Reuters reported that Alliance Data's stock briefly hit an intraday low of $80.31 on the New York Stock Exchange. Reuters said investors speculated that Alliance could face lawsuits and lose customers.

Alliance Data shares fell $1.73, or 2.01 percent, Monday to close at $84.20.

Nevertheless, Stifel Nicolaus' Chris Brendler told Reuters, "While the stock may overreact, Alliance Data may be able to successfully navigate the challenges."

The Associated Press contributed to this report. Contact reporter Matthew Crowley at mcrowley@reviewjournal. com or 702-383-0304.