Apr 032011
 

Note: CBS reports that the Secret Service is investigating the Epsilon breach. If you receive a phishing attempt that you want to report to the Secret Service, email [email protected].  You can also file a report at http://www.ic3.gov/default.aspx. I’ll add businesses to the list of affected customers as I become aware of them, so check back if you want to see what else has been reported.  See Brian Krebs’ commentary on the fears about spear phishing as a result of this breach.

  1. 1-800-FLOWERS
  2. AbeBooks
  3. Abercrombie & Fitch (WFNNB)
  4. AIR MILES Reward Program (Canada)
  5. Ameriprise
  6. Ann Taylor (WFNNB)
  7. AshleyStewart (WFNNB)
  8. Avenue (WFNNB)
  9. Barclays Bank of Delaware
  10. Beachbody
  11. Bealls (WFNNB)
  12. bebe
  13. Best Buy
  14. Best Buy Canada Reward Zone
  15. Benefit Cosmetics (see below)
  16. BJ’s Visa (Barclays Bank of Delaware)
  17. Brookstone
  18. Capital One
  19. Catherine’s (WFNNB)
  20. Chadwick’s (WFNNB)
  21. Charter Communications
  22. Chase
  23. Citigroup
  24. City Market
  25. College Board
  26. Crate & Barrel (WFNNB)
  27. Crucial
  28. David’s Bridal
  29. Dell Australia
  30. Dillons
  31. Disney Destinations (The Walt Disney Travel Company)
  32. Domestications (WFNNB)
  33. Dressbarn (WFNNB)
  34. Eddie Bauer Friends
  35. Eileen Fisher (doesn’t name Epsilon but same template letter)
  36. Ethan Allen
  37. Eurosport Soccer (Soccer.com)
  38. Express card (WFNNB)
  39. ExxonMobil Card (Citi)
  40. Fashion Bug (WFNNB)
  41. FINA (WFNNB)
  42. Food 4 Less
  43. Fred Meyer
  44. Fry’s
  45. Gander Mountain (WFNNB)
  46. Giant Eagle Fuelperks! (WFNNB)
  47. GlaxoSmithKline Consumer Healthcare (GSK)
  48. Goody’s (WFNNB)
  49. Hilton Honors
  50. Home Depot Card (Citi)
  51. Home Shopping Network (HSN)
  52. J Crew (WFNNB)
  53. J.Jill
  54. Jay C
  55. Jessica London (WFNNB)
  56. JPMorgan Chase
  57. Justice (WFNNB)
  58. KingSize Direct  (WFNNB)
  59. King Soopers
  60. Kroger
  61. Lacoste
  62. Lane Bryant (WFNNB)
  63. L.L. Bean Visa (Barclay’s)
  64. M & T Bank
  65. Marriott Rewards (FAQ on site)
  66. Marks & Spencer
  67. Maurice’s (WFNNB)
  68. McKinsey Quarterly
  69. MoneyGram
  70. MyPoints Reward Visa
  71. New York & Company
  72. NTB Card (Citi)
  73. One Stop Plus (WFNNB)
  74. PacSun (Pacific Sunwear) (WFNNB)
  75. Palais Royal (WFNNB)
  76. Peebles (WFNNB)
  77. Polo Ralph Lauren
  78. PotteryBarn/PotteryBarnKids (WFNNB)
  79. Quality Food Centers (QFC)
  80. QualityHealth
  81. RadioShack (WFNNB)
  82. Ralphs
  83. Red Roof Inn
  84. Reeds Jewelers (WFNNB)
  85. Ritz-Carlton (FAQ)
  86. Robert Half International
  87. Scottrade
  88. Sears (Citi)
  89. Shell (Citi)
  90. Smile Generation Financial
  91. Smith’s Food & Drug Centers (Smith’s Brands)
  92. Sportsman’s Guide (WFNNB)
  93. Stage (WFNNB)
  94. Stonebridge Life Insurance
  95. Target
  96. Tastefully Simple
  97. TD Ameritrade
  98. The Limited (WFNNB)
  99. The Place (Citi)
  100. TIAA-CREF
  101. TiVo
  102. Trek (WFNNB)
  103. United Retail Group (WFNNB)
  104. US Bank
  105. Value City Furniture (WFNNB)
  106. Verizon
  107. Victoria’s Secret (WFNNB)
  108. Viking River Cruises
  109. Walgreens
  110. Woman Within (WFNNB)
  111. World Financial Network National Bank

Note: WFNNB stands for World Financial Network National Bank . WFNNB is a subsidiary of Alliance Data Systems, the same company that owns Epsilon.

Thanks to all those who have copied and pasted in the emails you have received. If you have something you think I’m missing, please check the list first to see if I already have the name of the company and a working linked copy of the notice. If not, post away!

UPDATE 4-08-2011 I deleted a number of submitted comments because they are describing phishing attacks that have nothing to do with the Epsilon breach. Phishing attempts appearing to come from FedEx, DHL, etc., are old news and while you should continue to be alert so as not to fall for them, this list is only for notices that people received concerning the Epsilon breach or evidence that a phishing attempt is because of the Epsilon breach (e.g., if you used a unique email address for a company and now get a phishing attempt at that address after you were notified of the Epsilon breach).

Email address to report phishing attempts corrected. It is [email protected]

UPDATE 4-09-2011: If you’re first receiving a notice from a firm not previously mentioned on this list, please let me know the date of the email, too. There are a few entities that have been reported that do not appear on the list yet because I do not have copies of their notices or links to web sites where they are posted.  Sometimes people say one thing but when they check, it’s another company, so I need to wait for some proof before posting.

UPDATE 4-09-2011 It seems that overnight, World Financial Network National Bank (WFFNB), a subsidiary of Alliance Data Systems – the same company that owns Epsilon – removed the email security notice that they had linked to from a number of their store credit card sites.  If I was paranoid, I might think that they removed it because I was linking to it.  In any event, links from the above list may no longer work.

Benefit Cosmetics. What’s significant about their report is that they appear to be former clients of Epsilon, raising the question of why their data were on the compromised server. Did the breach occur while they were still clients or did Epsilon not remove their data from their server after they stopped using their service?

An email sent to DataLossDB who shared it with this site, read:

While we wish this was about lipstick, we have important news regarding your email address.

We were just informed by a former email vendor that the database with our customers’ names and email addresses has been compromised by an unauthorized person.  The only information at risk is your name and email address.

The vendor has assured us that "a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."  This data breach has also affected several other companies that work with this vendor.

  154 Responses to “And the hits just keep on coming for Epsilon”

  1. I think what also may help to defend against any attacks which can benefit from this kind of breach is understanding the data sets the breach put at risk. ISO and individuals need to understand what kinds of data Epsilon collects. Some of it is not protected under law so they may inform users about email, phone, addresses, etc. However some of the data may not fall under any protection resulting in Epsilon avoiding full disclosure. It is important that this not be the case and Epsilon, however painful to their business goals, has to come clean about exactly the who, what, where, and how of the breach.

    ******************************************************************************************
    Epsilon’s Product Data Cards (Types of Data):

    American Smokers Registry
    BusinessClass List Builder From Equifax
    Epsilon TargetSource US – Ailments/Health
    Epsilon TargetSource US – Avid Readers
    Epsilon TargetSource US – Charitable Donors
    Epsilon TargetSource US – Collectors
    Epsilon TargetSource US – Computer and Internet Users
    Epsilon TargetSource US – Cooking and Culinary
    Epsilon TargetSource US – Financial Services Sector
    Epsilon TargetSource US – Gardening Enthusiasts
    Epsilon TargetSource US – Higher Education
    Epsilon TargetSource US – Hobbies and Interests
    Epsilon TargetSource US – Home Electronics
    Epsilon TargetSource US – Mail Order Buyers
    Epsilon TargetSource US – Outdoor Enthusiasts
    Epsilon TargetSource US – Scrapbooking and Crafts
    Epsilon TargetSource US – Sports
    Epsilon TargetSource US – Women at Home
    High-Tech Connect Formerly From Equifax
    ICOM Home Based Business Entrepreneurs
    ICOM Self Employed Entrepreneurs
    ICOM Target NewMover – PreMover Data
    ICOM Target NewMovers
    ICOM TargetPlus [formerly Advantage Choice] – Financial
    ICOM TargetPlus [formerly Advantage Choice] – Masterfile
    ICOM TargetPlus [formerly Advantage Choice] – New Parents
    ICOM TargetPlus [formerly Advantage Choice] – Real Property
    ICOM TargetPlus [formerly Advantage Choice] – Survey
    ICOM TargetPlus [formerly Advantage Choice] -Transactional Mail Order
    ICOM TargetSource Canada – Adults Ages
    ICOM TargetSource Pet Owners
    ICOM TargetSource U.S. – Avid Readers
    COM TargetSource U.S. Ailments and Health
    ICOM TargetSource U.S. Charitable Donors
    ICOM TargetSource U.S. Collectors
    ICOM TargetSource U.S. Computer and Internet Users
    ICOM TargetSource U.S. Education
    ICOM TargetSource U.S. Finance and Investing
    ICOM TargetSource U.S. Hobbies and Interests
    ICOM TargetSource U.S. Household Items
    ICOM TargetSource U.S. Sports
    ICOM TargetSource US – Diet and Health
    ICOM Targetsource US – Grandparents
    ICOM TargetSource US – Homeownership
    ICOM Targetsource US – Masterfile
    ICOM TargetSource US – Music Preferences
    ICOM TargetSource US – Travelers
    ICOM TargetSource US – Vehicle
    ICOM Weekly New Movers
    Permission! Formerly from Equifax
    Residential Property Plus Formerly From Equifax
    Rx Selector Formerly From Equifax
    Small Area Characteristics Database
    TargetPoint In-Market Formerly From Equifax
    TargetPoint New Movers Formerly From Equifax
    The Lifestyle Selector Formerly From Equifax
    The Response Selector Formerly From Equifax
    The SOHO Selector Formerly From Equifax
    TotalSource XL Formerly From Equifax

    ******************************************************************************************
    +
    +
    ******************************************************************************************

    Some of the personally identifiable information Epsilon Sells:

    Age
    Childern
    Email Address
    Mail Order Addresses
    Professions
    Astrology
    Computer Type
    Ethnic Information
    Religion
    Business type
    Insurance preferences
    Pets
    Residence
    Buyer of household
    Donor information to charities
    Lifestyle
    Political Affiliations
    Senior information age

    ******************************************************************************************
    +
    +
    ******************************************************************************************

    I hope that this may be useful in lowering the potential risk from the wave of attacks we may see in the future linking back to this breach.

  2. I got asn email from Border’s

  3. And Chase

  4. Any chance you could c/p it into a comment or email it to me? Would appreciate it!

  5. Unfortunately not, I received it Saturday along with one from Kroger and the garbage has been emptied on that account several times since then. I made note of it on a message board the same day though 🙂

  6. I received 2 mails 1 Saturday from TIVO and 1 Monday from Best Buy that there was a 3rd party that they were attacked on their email server etc. etc. still have those mails just in case. I think it is a shame that this happened with peoples information and they get sloppy with this. regardless if it comes from outside or inside. it need to be protected against all attacks. we put man on the moon but are not able to protect an email server.

  7. World Financial Network National Bank is also behind the whole “Limited” group of companies.. Victoria’s Secret, Express, Express Men, Limited, Limited Too, Justice, Lane Bryant, Bath and Body Works.. probably many more mall stores — these were just the ones I could think of that I know are affiliated.

    The message I received today:

    “We were recently notified by Epsilon, a business partner used to send emails for the Express Credit Card, that an unauthorized party from outside of their company had accessed files that included the names and e-mail addresses of current and former Express credit card holders. We are still investigating this incident with Epsilon and World Financial Network National Bank. They have assured us that no financial or account information was accessed and the data security breach was limited to only names and e-mail addresses.

    Because we take privacy and security seriously, we felt it important to notify our customers as quickly as possible to remind them that Express and World Financial Network National Bank (WFNNB) will never request personal information or account login information via email.

    If you receive an email that appears to be from Express or World Financial Network National Bank asking for personal or financial information, do not respond to that email. Instead, please call the customer service center at the phone number listed on the back of your credit card. As always, you should be cautious of any e-mail message requesting personal information and should not open attachments or click on links from an e-mail unless you know it is from a trusted source.

    We apologize for any inconvenience this may cause, and we will keep you informed of any updates as necessary.

    Sincerely,

    Express”

  8. If you’re interested in non-US breaches, Dell Australia sent me an email: http://pastebin.com/rLnXi691

  9. Re: “Benefit Cosmetics. What’s significant about their report is that they appear to be former clients of Epsilon, raising the question of why their data were on the compromised server.”

    I work at an ESP and it is not unusual for data to be held for former clients, for a few months “hand-over” period.

    This is because sending an email is not like sending a letter. Some data, back on the server, is needed if the email is to display properly. The main example is images. Client data is needed for “display on a browser” links to work – these basically recreate the email, merging in client data as necessary. Pre-populated forms are handled in just the same way.

    Unfortunately, it seems likely that a security weakness in the handling of pre-populated forms and emails is implicated for both the Silverpop and Epsilon hacks. So unfortunately subscribers to former clients were vulnerable.

  10. Yes, I’m interested in non-US impact, too, and thank you!

  11. I received mail from Chase, TiVo, and from the self publishing site Lulu.com. I’m not even a TiVo customer anymore…

  12. Again World Financial Bank, for “Catherine’s” A clothing store for women:

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

  13. My apologies, the email wasn’t from lulu. But I’ve since received a few more from other places.

  14. Thanks so much!

  15. If you saved the Lulu.com one and could paste it in, that would be great as this is the first reference I’ve heard that they were affected.

  16. Thanks for correcting the record on that. If you have any that I don’t have on the list, let me know and please post a copy of the email if you saved it.

  17. You’re welcome, sorry about the mixup on lulu. Right as I received those other messages I received something else from lulu. I’m still waiting to confirm with them *just in case* but at this point I can only definitely report Chase, TiVo, World Financial Bank (for Catherine’s) which as a previous poster listed covers MANY stores and online places… I’ll post if I receive more.

  18. I would guess the Ann Taylor reference is connected to the WFNNB. I received this from them this morning, in reference to my Ann Taylor card.

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Ann Taylor Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

  19. I know you already know about Victoria’s Secret but here is an actual email from them:

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Victoria’s Secret Credit Card Account.

    Dear Valued Customer,

    Your privacy is extremely important to us, and we wanted to share the following information with you. We discovered that an unauthorized party has gained access to files containing email addresses associated with several companies including Victoria’s Secret credit cards.

    While your email address and/or name may have been included in these files, no sensitive financial or other personal information was compromised. However because of the circumstance, you may receive spam emails. We sincerely apologize for any inconvenience this may cause.

    For your security, we remind you to never provide personal information to unknown individuals/businesses online and avoid opening suspicious email links or attachments.

    Again, we are very sorry that this occurred and are working diligently to maintain your trust. If you have any questions or need further assistance, please call the WFNNB Customer Service Center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

  20. Just so you know, Victoria’s Secret and Bath and Body works are the only Limited Brand companys. Limited and Express are no longer affliated with Limited Brands, they are their own companies now. Limited Too is no longer the store/ company’s name as well- it has changed to Justice and is no longer afflicated with the Limited

  21. Thanks… you just gave me something to link to – much appreciated.

  22. I think you’re right, and have added that to the list. Thanks!

  23. Also Chase and WFNNB – Dress Barn. Both attached below.

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:
    • Don’t give your Chase OnlineSM User ID or password in e-mail.
    • Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    • Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    • Don’t reply to e-mails asking you to send personal information.
    • Don’t use your e-mail address as a login ID or password.
    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office
    —————————————————-

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Dressbarn Credit Card account.

    Dear Valued Customer,
    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
    Sincerely,
    Sallie Komitor
    Head of Customer Service

  24. Received a notice from Lane Bryant this morning

  25. I received this from Air Miles (Canada) on April 4th 2011.

    The AIR MILES® Reward Program was informed by our email service provider that they had an unauthorized entry into their email platform, which is the system used to send AIR MILES emails. We have been assured that the only information that may have been exposed was first name, last name and email address of some of our Collectors. Details of your account are not stored in this system and were not at risk.

    Please note it is possible you may receive spam email messages as a result. We want you to be cautious when opening links or attachments from unknown third parties. We want to remind you that AIR MILES will never ask for your personal information or login credentials in an email. As always, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email.

    As a reminder, we recommend that you:
    • Don’t give your AIR MILES Collector number or PIN in email.
    • Don’t respond to emails that require you to enter personal information directly into the email.
    • Don’t respond to emails threatening to close your account if you do not take the immediate
    action of providing personal information.
    • Don’t reply to emails asking you to send personal information.

    We regret that this has taken place and apologize if this causes you any inconvenience. We take your privacy very seriously and we will continue to work diligently to protect your personal information.

    If you have any questions please contact us at [email protected] or 1-888-AIR MILES.

  26. You’re missing ExxonMobil, issued by Citi…..

    Dear [REDACTED],

    Recently, Citi was notified of a system breach at Epsilon, a third-party vendor that provides marketing services to a number of companies, including Citi. The information obtained was limited to the customer name and email address of some credit card customers. No account information or other information was compromised and therefore there is no reason to re-issue a new card.

    Because e-mail addresses can be used for “phishing” attacks, we want to remind our customers of the following:

    * Citi Cards uses an Email Security Zone in all of our email to help you recognize that the email was sent by us. Customers should check the Email Security Zone to verify that the email you received is from Citi and reduce the risk of personal information being “phished.” To help you recognize that the email was sent by Citi we will always include the following in the Email Security Zone in the top headline portion of all our emails:
    * Your first name and last name
    * Last four digits of your Citi card account number
    * And recently to increase security, we have added your “member since” date located on the front of your card, where available.
    * More information about phishing is available here: learn more

    Important steps that you can take to protect your security online:

    * Don’t provide your Online User ID or password in an e-mail.
    * Don’t reply to e-mails that require you to enter personal information directly into an e-mail or URL.
    * Don’t reply to or follow links in e-mails threatening to close your account if you do not take the immediate action of providing any personal information. We may send you an email regarding your account requesting you contact us via phone.
    * It is not recommended to use your e-mail address as a login ID or password.

    If you suspect that you’ve received a fraudulent e-mail message, please forward it to us.
    Forward suspicious e-mails to: [email protected]

    If you have any questions or concerns about emails that you may receive that look suspicious, we encourage you to contact Citi Customer Service at the phone number on the back of your card.

  27. I got one from Chase. Here it is:

    Note: This is a service message with information related to your e-mail address.

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    * Don’t give your Chase OnlineSM User ID or password in e-mail.
    * Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    * Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    * Don’t reply to e-mails asking you to send personal information.
    * Don’t use your e-mail address as a login ID or password.

    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office

    If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

    Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.

    JPMorgan Chase Bank, N.A. Member FDIC
    © 2011 JPMorgan Chase & Co.

    LCEPAEM0311

  28. Lane Bryant got almost an identical email as Victoria’s Secret from WFNNB:

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Lane Bryant Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

  29. Thanks – added!

  30. Can you copy/paste it in? If not, was it for a credit card with Citi or…?

  31. Thanks – added it to the list!

  32. Here’s the Lacoste one:

    Date: Sun, 03 Apr 2011 17:31:01 EDT
    From: Lacoste USA
    Reply-To: “LacosteUSA”
    Subject: Important Information for Lacoste Email Recipients
    To: xxxxxxxxx

    Dear Lacoste Customer,

    We were recently informed by our email service provider that
    your email address may have been exposed by unauthorized entry
    into their system. Our email service provider deploys emails on
    our behalf to customers who have opted into email based
    communications from us; they have reported this incident to the
    appropriate authorities.

    We want to assure you that the only information that may have
    been obtained was your name and email address. Your account and
    any other personally identifiable information were not at risk.

    Please note, it is possible you may receive spam email messages
    as a result. We want to urge you to be cautious when opening
    links or attachments from unknown third parties. In keeping with
    best industry security practices, Lacoste will never ask you to
    provide or confirm any information, including credit card
    numbers, unless you are on our secure e-commerce site,
    shop.lacoste.com.

    We regret this has taken place and for any inconvenience this
    may have caused you. We take your privacy very seriously, and we
    will continue to work diligently to protect your personal
    information.

    Sincerely,

    Lacoste Customer Service

    ******************************************************************************************
    To speak to a Customer Service representative, please call 800-4-LACOSTE.

    Lacoste USA
    551 Madison Avenue
    New York, NY 10022
    ******************************************************************************************

  33. Thanks to you and others who are submitting copies of the ones I hadn’t seen. Much appreciated.

  34. Add Crucial to the list. Here’s the text of their alert:

    On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.

    We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.

    For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.

    For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.

    We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

  35. Thank you – that’s the first I heard of this one.

  36. I just received this from Crucial

    On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.

    We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.

    For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.

    For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.

    We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

  37. I received a notification from Barclay’s Bank for my USAir MasterCard. Same routine as the others. Interesting that they have often used “last 4” of the card number in some of their email communications to me in the past.

  38. Can you copy/paste it in here, sans your last 4 digits/name?

  39. From Robert Half International:

    Dear Valued Customer,

    Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

    We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

    Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

    As always, if you have any questions, or need any additional information, please do not hesitate to contact us at [email protected].

    Sincerely,

    Robert Half Customer Care

    Robert Half Finance & Accounting
    Robert Half Management Resources
    Robert Half Legal
    Robert Half Technology
    The Creative Group

    2011 Robert Half International, Inc. An Equal Opportunity Employer. For more information, please visit roberthalf.us.

    If you prefer not to receive future general email broadcasts from Robert Half International, please click here to unsubscribe. You may also mail your unsubscribe request to the address below. Thank you.

    Robert Half | Attn: Marketing | 2884 Sand Hill Road, Suite 200 | Menlo Park, CA 94025 USA

  40. Tastefully Simple too.

  41. Received this from Home Shopping Network~
    April 2, 2011

    Dear HSN Customer,

    HSN values your trust and wants to make you aware of a recent incident. We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals. This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible. We apologize for any inconvenience and have outlined below a number of email safeguards to help ensure your privacy online.

    Email scams, spam, and other attacks on email systems are on the rise, but, by taking certain precautions when receiving emails, you can continue to safely use email for your business and personal needs:

    Don’t open links or attachments from people you don’t know and trust.
    Don’t provide personal, financial, or other sensitive information when asked to do so by email. Most reputable companies do not ask for such information by email, and, rest assured, we will not do so.
    If you receive an email appearing to come from us that does ask you for sensitive information, do not respond, click on any links, or download any attachments. Instead, please inform us immediately at the toll-free number or email address provided below.

    We take your privacy very seriously and work diligently to protect your information, whether held by us or by our service providers. HSN’s internal databases, which store all customer-provided data, were in no way compromised. Our email provider has taken significant steps to further protect the limited customer information held in its databases. If you have any questions or concerns regarding this incident, please contact us toll free at 1-800-933-2887 or email us at [email protected].

    Sincerely,
    Gregg Stallwood
    Senior Vice President, Customer Care – HSN

    Please do not reply to this email. If you would like to contact us, please call us toll free at 1-800-933-2887 or email us at [email protected].
    HSN Interactive LLC | Attn: Customer Service | 1 HSN Drive | St. Petersburg, FL 33729‪

  42. My household has received emails from Target, Best Buy, Victoria’s Secret, (2) from Chase and Maurice’s… so I’m up to 6 so far… And I see names of other companies I do business with, which I haven’t received any notifications from…

  43. Do you still have the Maurice’s one? I haven’t seen that one mentioned anywhere. If you have it, please copy/paste it into a comment.

  44. Thank you – I’m changing my link in the list to link to your entry. 🙂

  45. Please add “Chase” to your list. Here’s a copy of my notification:

    From: Chase [mailto:[email protected]]
    Sent: Wednesday, April 06, 2011 7:03 PM
    Subject: Please read important message about your e-mail address

    Note: This is a service message with information related to your e-mail address.

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    Don’t give your Chase OnlineSM User ID or password in e-mail.
    Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    Don’t reply to e-mails asking you to send personal information.
    Don’t use your e-mail address as a login ID or password.
    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office

    If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

    Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.
    JPMorgan Chase Bank, N.A. Member FDIC
    © 2011 JPMorgan Chase & Co.

  46. Thanks for working through the process of identifying specific companies by asking people to submit their specific emails…

    …but why is this really necessary for end-users to do anything to identify whether specific companies were affected?

    Epsilon had a breach.

    They know the extent of the breach, and how many were effected.

    They have tried to remain out of sight in all their communications, other than their astonishingly dis-respectful paragraph and a half where they claimed only a small portion of anything was their responsibility.

    Why should all these companies have to just guess and assume that they were affected, and put out vague, nebulous, odd emails to their clients that really only say: “we might have had a breach, but we don’t really know exactly what happened, but we’re putting on the smile-ly face anyway because Epsilon told us to in a two paragraph response to our inquiries”?

    The other part is the companies on the list who haven’t bothered to even send email list people even the most basic “we’ve been notified of something” email.

    This whole episode requires a congressional inquiry about why this happened.

    I really don’t care if this gets taken on by either the nut-case dems or the equally nut-case reps on the other side.

    This was identified as happening over a week ago, and since that time, Epsilon has totally not given up anything new about the extent of the breach, or provided actionable information for its hundreds of downstream major companies, and the millions of affected users at the end of the chain to do absolutely anything.

    This is very, very wrong.

  47. I have received emails from 1800Flowers.com and USBank concerning the breach. Here are copies of the emails I received from these two companies. Such a shame this has to happen.

    Dear 1800Flowers.com Customer:

    One of our email service providers, Epsilon, has informed us that we
    are among a group of companies affected by a data breach that may
    have exposed your email address to unauthorized third parties.
    It’s important to know that this incident did not
    involve other account or personally identifiable information.
    We use permission-based email service providers such as Epsilon
    to help us manage email communications to our customers.

    We take your privacy very seriously and we work diligently to ensure
    your private information is always protected. Epsilon has assured
    us that no private information, other than your email address,
    was involved in the incident. We regret any inconvenience
    that this may cause you.

    Because of this incident, we advise you to be extremely cautious
    before opening emails from senders you do not recognize.

    We thank you for your understanding in this matter.

    Sincerely,

    Bibi Brown
    Director, Customer Service

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
    http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

    In addition, if you receive any suspicious looking emails, please tell us immediately.
    Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

    The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

  48. This is the first that I’m really hearing anything about this matter. I have received such emails from both Chase Bank and Walgreen’s Pharmacy. Since it sounded to suspicious, I simply deleted the emails as spam. Sorry, I didn’t keep them for you.

  49. Some members of Congress have taken note and are calling for some answers. Some states’ attorney generals will likely conduct their own investigation, too. Epsilon/Alliance will have a “lot of ‘splaining to do, Lucy.” But at the end of the day, will anything change going forward?

    Right now the consumer focus is on protecting ourselves. What we need to do is find our collective voice and use this to advocate for meaningful change – including what is considered “personally identifiable information” and how long businesses can hang on to data for after we terminate a relationship with them or opt out.

Sorry, the comment form is closed at this time.