Apr 032011
 

Note: CBS reports that the Secret Service is investigating the Epsilon breach. If you receive a phishing attempt that you want to report to the Secret Service, email [email protected].  You can also file a report at http://www.ic3.gov/default.aspx. I’ll add businesses to the list of affected customers as I become aware of them, so check back if you want to see what else has been reported.  See Brian Krebs’ commentary on the fears about spear phishing as a result of this breach.

  1. 1-800-FLOWERS
  2. AbeBooks
  3. Abercrombie & Fitch (WFNNB)
  4. AIR MILES Reward Program (Canada)
  5. Ameriprise
  6. Ann Taylor (WFNNB)
  7. AshleyStewart (WFNNB)
  8. Avenue (WFNNB)
  9. Barclays Bank of Delaware
  10. Beachbody
  11. Bealls (WFNNB)
  12. bebe
  13. Best Buy
  14. Best Buy Canada Reward Zone
  15. Benefit Cosmetics (see below)
  16. BJ’s Visa (Barclays Bank of Delaware)
  17. Brookstone
  18. Capital One
  19. Catherine’s (WFNNB)
  20. Chadwick’s (WFNNB)
  21. Charter Communications
  22. Chase
  23. Citigroup
  24. City Market
  25. College Board
  26. Crate & Barrel (WFNNB)
  27. Crucial
  28. David’s Bridal
  29. Dell Australia
  30. Dillons
  31. Disney Destinations (The Walt Disney Travel Company)
  32. Domestications (WFNNB)
  33. Dressbarn (WFNNB)
  34. Eddie Bauer Friends
  35. Eileen Fisher (doesn’t name Epsilon but same template letter)
  36. Ethan Allen
  37. Eurosport Soccer (Soccer.com)
  38. Express card (WFNNB)
  39. ExxonMobil Card (Citi)
  40. Fashion Bug (WFNNB)
  41. FINA (WFNNB)
  42. Food 4 Less
  43. Fred Meyer
  44. Fry’s
  45. Gander Mountain (WFNNB)
  46. Giant Eagle Fuelperks! (WFNNB)
  47. GlaxoSmithKline Consumer Healthcare (GSK)
  48. Goody’s (WFNNB)
  49. Hilton Honors
  50. Home Depot Card (Citi)
  51. Home Shopping Network (HSN)
  52. J Crew (WFNNB)
  53. J.Jill
  54. Jay C
  55. Jessica London (WFNNB)
  56. JPMorgan Chase
  57. Justice (WFNNB)
  58. KingSize Direct  (WFNNB)
  59. King Soopers
  60. Kroger
  61. Lacoste
  62. Lane Bryant (WFNNB)
  63. L.L. Bean Visa (Barclay’s)
  64. M & T Bank
  65. Marriott Rewards (FAQ on site)
  66. Marks & Spencer
  67. Maurice’s (WFNNB)
  68. McKinsey Quarterly
  69. MoneyGram
  70. MyPoints Reward Visa
  71. New York & Company
  72. NTB Card (Citi)
  73. One Stop Plus (WFNNB)
  74. PacSun (Pacific Sunwear) (WFNNB)
  75. Palais Royal (WFNNB)
  76. Peebles (WFNNB)
  77. Polo Ralph Lauren
  78. PotteryBarn/PotteryBarnKids (WFNNB)
  79. Quality Food Centers (QFC)
  80. QualityHealth
  81. RadioShack (WFNNB)
  82. Ralphs
  83. Red Roof Inn
  84. Reeds Jewelers (WFNNB)
  85. Ritz-Carlton (FAQ)
  86. Robert Half International
  87. Scottrade
  88. Sears (Citi)
  89. Shell (Citi)
  90. Smile Generation Financial
  91. Smith’s Food & Drug Centers (Smith’s Brands)
  92. Sportsman’s Guide (WFNNB)
  93. Stage (WFNNB)
  94. Stonebridge Life Insurance
  95. Target
  96. Tastefully Simple
  97. TD Ameritrade
  98. The Limited (WFNNB)
  99. The Place (Citi)
  100. TIAA-CREF
  101. TiVo
  102. Trek (WFNNB)
  103. United Retail Group (WFNNB)
  104. US Bank
  105. Value City Furniture (WFNNB)
  106. Verizon
  107. Victoria’s Secret (WFNNB)
  108. Viking River Cruises
  109. Walgreens
  110. Woman Within (WFNNB)
  111. World Financial Network National Bank

Note: WFNNB stands for World Financial Network National Bank . WFNNB is a subsidiary of Alliance Data Systems, the same company that owns Epsilon.

Thanks to all those who have copied and pasted in the emails you have received. If you have something you think I’m missing, please check the list first to see if I already have the name of the company and a working linked copy of the notice. If not, post away!

UPDATE 4-08-2011 I deleted a number of submitted comments because they are describing phishing attacks that have nothing to do with the Epsilon breach. Phishing attempts appearing to come from FedEx, DHL, etc., are old news and while you should continue to be alert so as not to fall for them, this list is only for notices that people received concerning the Epsilon breach or evidence that a phishing attempt is because of the Epsilon breach (e.g., if you used a unique email address for a company and now get a phishing attempt at that address after you were notified of the Epsilon breach).

Email address to report phishing attempts corrected. It is [email protected]

UPDATE 4-09-2011: If you’re first receiving a notice from a firm not previously mentioned on this list, please let me know the date of the email, too. There are a few entities that have been reported that do not appear on the list yet because I do not have copies of their notices or links to web sites where they are posted.  Sometimes people say one thing but when they check, it’s another company, so I need to wait for some proof before posting.

UPDATE 4-09-2011 It seems that overnight, World Financial Network National Bank (WFFNB), a subsidiary of Alliance Data Systems – the same company that owns Epsilon – removed the email security notice that they had linked to from a number of their store credit card sites.  If I was paranoid, I might think that they removed it because I was linking to it.  In any event, links from the above list may no longer work.

Benefit Cosmetics. What’s significant about their report is that they appear to be former clients of Epsilon, raising the question of why their data were on the compromised server. Did the breach occur while they were still clients or did Epsilon not remove their data from their server after they stopped using their service?

An email sent to DataLossDB who shared it with this site, read:

While we wish this was about lipstick, we have important news regarding your email address.

We were just informed by a former email vendor that the database with our customers’ names and email addresses has been compromised by an unauthorized person.  The only information at risk is your name and email address.

The vendor has assured us that "a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."  This data breach has also affected several other companies that work with this vendor.

  154 Responses to “And the hits just keep on coming for Epsilon”

  1. I think what also may help to defend against any attacks which can benefit from this kind of breach is understanding the data sets the breach put at risk. ISO and individuals need to understand what kinds of data Epsilon collects. Some of it is not protected under law so they may inform users about email, phone, addresses, etc. However some of the data may not fall under any protection resulting in Epsilon avoiding full disclosure. It is important that this not be the case and Epsilon, however painful to their business goals, has to come clean about exactly the who, what, where, and how of the breach.

    ******************************************************************************************
    Epsilon’s Product Data Cards (Types of Data):

    American Smokers Registry
    BusinessClass List Builder From Equifax
    Epsilon TargetSource US – Ailments/Health
    Epsilon TargetSource US – Avid Readers
    Epsilon TargetSource US – Charitable Donors
    Epsilon TargetSource US – Collectors
    Epsilon TargetSource US – Computer and Internet Users
    Epsilon TargetSource US – Cooking and Culinary
    Epsilon TargetSource US – Financial Services Sector
    Epsilon TargetSource US – Gardening Enthusiasts
    Epsilon TargetSource US – Higher Education
    Epsilon TargetSource US – Hobbies and Interests
    Epsilon TargetSource US – Home Electronics
    Epsilon TargetSource US – Mail Order Buyers
    Epsilon TargetSource US – Outdoor Enthusiasts
    Epsilon TargetSource US – Scrapbooking and Crafts
    Epsilon TargetSource US – Sports
    Epsilon TargetSource US – Women at Home
    High-Tech Connect Formerly From Equifax
    ICOM Home Based Business Entrepreneurs
    ICOM Self Employed Entrepreneurs
    ICOM Target NewMover – PreMover Data
    ICOM Target NewMovers
    ICOM TargetPlus [formerly Advantage Choice] – Financial
    ICOM TargetPlus [formerly Advantage Choice] – Masterfile
    ICOM TargetPlus [formerly Advantage Choice] – New Parents
    ICOM TargetPlus [formerly Advantage Choice] – Real Property
    ICOM TargetPlus [formerly Advantage Choice] – Survey
    ICOM TargetPlus [formerly Advantage Choice] -Transactional Mail Order
    ICOM TargetSource Canada – Adults Ages
    ICOM TargetSource Pet Owners
    ICOM TargetSource U.S. – Avid Readers
    COM TargetSource U.S. Ailments and Health
    ICOM TargetSource U.S. Charitable Donors
    ICOM TargetSource U.S. Collectors
    ICOM TargetSource U.S. Computer and Internet Users
    ICOM TargetSource U.S. Education
    ICOM TargetSource U.S. Finance and Investing
    ICOM TargetSource U.S. Hobbies and Interests
    ICOM TargetSource U.S. Household Items
    ICOM TargetSource U.S. Sports
    ICOM TargetSource US – Diet and Health
    ICOM Targetsource US – Grandparents
    ICOM TargetSource US – Homeownership
    ICOM Targetsource US – Masterfile
    ICOM TargetSource US – Music Preferences
    ICOM TargetSource US – Travelers
    ICOM TargetSource US – Vehicle
    ICOM Weekly New Movers
    Permission! Formerly from Equifax
    Residential Property Plus Formerly From Equifax
    Rx Selector Formerly From Equifax
    Small Area Characteristics Database
    TargetPoint In-Market Formerly From Equifax
    TargetPoint New Movers Formerly From Equifax
    The Lifestyle Selector Formerly From Equifax
    The Response Selector Formerly From Equifax
    The SOHO Selector Formerly From Equifax
    TotalSource XL Formerly From Equifax

    ******************************************************************************************
    +
    +
    ******************************************************************************************

    Some of the personally identifiable information Epsilon Sells:

    Age
    Childern
    Email Address
    Mail Order Addresses
    Professions
    Astrology
    Computer Type
    Ethnic Information
    Religion
    Business type
    Insurance preferences
    Pets
    Residence
    Buyer of household
    Donor information to charities
    Lifestyle
    Political Affiliations
    Senior information age

    ******************************************************************************************
    +
    +
    ******************************************************************************************

    I hope that this may be useful in lowering the potential risk from the wave of attacks we may see in the future linking back to this breach.

  2. I got asn email from Border’s

    • Any chance you could c/p it into a comment or email it to me? Would appreciate it!

      • Unfortunately not, I received it Saturday along with one from Kroger and the garbage has been emptied on that account several times since then. I made note of it on a message board the same day though 🙂

  3. And Chase

  4. I received 2 mails 1 Saturday from TIVO and 1 Monday from Best Buy that there was a 3rd party that they were attacked on their email server etc. etc. still have those mails just in case. I think it is a shame that this happened with peoples information and they get sloppy with this. regardless if it comes from outside or inside. it need to be protected against all attacks. we put man on the moon but are not able to protect an email server.

  5. World Financial Network National Bank is also behind the whole “Limited” group of companies.. Victoria’s Secret, Express, Express Men, Limited, Limited Too, Justice, Lane Bryant, Bath and Body Works.. probably many more mall stores — these were just the ones I could think of that I know are affiliated.

    The message I received today:

    “We were recently notified by Epsilon, a business partner used to send emails for the Express Credit Card, that an unauthorized party from outside of their company had accessed files that included the names and e-mail addresses of current and former Express credit card holders. We are still investigating this incident with Epsilon and World Financial Network National Bank. They have assured us that no financial or account information was accessed and the data security breach was limited to only names and e-mail addresses.

    Because we take privacy and security seriously, we felt it important to notify our customers as quickly as possible to remind them that Express and World Financial Network National Bank (WFNNB) will never request personal information or account login information via email.

    If you receive an email that appears to be from Express or World Financial Network National Bank asking for personal or financial information, do not respond to that email. Instead, please call the customer service center at the phone number listed on the back of your credit card. As always, you should be cautious of any e-mail message requesting personal information and should not open attachments or click on links from an e-mail unless you know it is from a trusted source.

    We apologize for any inconvenience this may cause, and we will keep you informed of any updates as necessary.

    Sincerely,

    Express”

    • Just so you know, Victoria’s Secret and Bath and Body works are the only Limited Brand companys. Limited and Express are no longer affliated with Limited Brands, they are their own companies now. Limited Too is no longer the store/ company’s name as well- it has changed to Justice and is no longer afflicated with the Limited

    • Received a notice from Lane Bryant this morning

  6. If you’re interested in non-US breaches, Dell Australia sent me an email: http://pastebin.com/rLnXi691

  7. Re: “Benefit Cosmetics. What’s significant about their report is that they appear to be former clients of Epsilon, raising the question of why their data were on the compromised server.”

    I work at an ESP and it is not unusual for data to be held for former clients, for a few months “hand-over” period.

    This is because sending an email is not like sending a letter. Some data, back on the server, is needed if the email is to display properly. The main example is images. Client data is needed for “display on a browser” links to work – these basically recreate the email, merging in client data as necessary. Pre-populated forms are handled in just the same way.

    Unfortunately, it seems likely that a security weakness in the handling of pre-populated forms and emails is implicated for both the Silverpop and Epsilon hacks. So unfortunately subscribers to former clients were vulnerable.

  8. I received mail from Chase, TiVo, and from the self publishing site Lulu.com. I’m not even a TiVo customer anymore…

    • My apologies, the email wasn’t from lulu. But I’ve since received a few more from other places.

      • Thanks for correcting the record on that. If you have any that I don’t have on the list, let me know and please post a copy of the email if you saved it.

    • If you saved the Lulu.com one and could paste it in, that would be great as this is the first reference I’ve heard that they were affected.

  9. Again World Financial Bank, for “Catherine’s” A clothing store for women:

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    • Thanks so much!

      • You’re welcome, sorry about the mixup on lulu. Right as I received those other messages I received something else from lulu. I’m still waiting to confirm with them *just in case* but at this point I can only definitely report Chase, TiVo, World Financial Bank (for Catherine’s) which as a previous poster listed covers MANY stores and online places… I’ll post if I receive more.

  10. I would guess the Ann Taylor reference is connected to the WFNNB. I received this from them this morning, in reference to my Ann Taylor card.

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Ann Taylor Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

  11. I know you already know about Victoria’s Secret but here is an actual email from them:

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Victoria’s Secret Credit Card Account.

    Dear Valued Customer,

    Your privacy is extremely important to us, and we wanted to share the following information with you. We discovered that an unauthorized party has gained access to files containing email addresses associated with several companies including Victoria’s Secret credit cards.

    While your email address and/or name may have been included in these files, no sensitive financial or other personal information was compromised. However because of the circumstance, you may receive spam emails. We sincerely apologize for any inconvenience this may cause.

    For your security, we remind you to never provide personal information to unknown individuals/businesses online and avoid opening suspicious email links or attachments.

    Again, we are very sorry that this occurred and are working diligently to maintain your trust. If you have any questions or need further assistance, please call the WFNNB Customer Service Center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

  12. Also Chase and WFNNB – Dress Barn. Both attached below.

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:
    • Don’t give your Chase OnlineSM User ID or password in e-mail.
    • Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    • Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    • Don’t reply to e-mails asking you to send personal information.
    • Don’t use your e-mail address as a login ID or password.
    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office
    —————————————————-

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Dressbarn Credit Card account.

    Dear Valued Customer,
    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
    Sincerely,
    Sallie Komitor
    Head of Customer Service

  13. I received this from Air Miles (Canada) on April 4th 2011.

    The AIR MILES® Reward Program was informed by our email service provider that they had an unauthorized entry into their email platform, which is the system used to send AIR MILES emails. We have been assured that the only information that may have been exposed was first name, last name and email address of some of our Collectors. Details of your account are not stored in this system and were not at risk.

    Please note it is possible you may receive spam email messages as a result. We want you to be cautious when opening links or attachments from unknown third parties. We want to remind you that AIR MILES will never ask for your personal information or login credentials in an email. As always, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email.

    As a reminder, we recommend that you:
    • Don’t give your AIR MILES Collector number or PIN in email.
    • Don’t respond to emails that require you to enter personal information directly into the email.
    • Don’t respond to emails threatening to close your account if you do not take the immediate
    action of providing personal information.
    • Don’t reply to emails asking you to send personal information.

    We regret that this has taken place and apologize if this causes you any inconvenience. We take your privacy very seriously and we will continue to work diligently to protect your personal information.

    If you have any questions please contact us at [email protected] or 1-888-AIR MILES.

  14. You’re missing ExxonMobil, issued by Citi…..

    Dear [REDACTED],

    Recently, Citi was notified of a system breach at Epsilon, a third-party vendor that provides marketing services to a number of companies, including Citi. The information obtained was limited to the customer name and email address of some credit card customers. No account information or other information was compromised and therefore there is no reason to re-issue a new card.

    Because e-mail addresses can be used for “phishing” attacks, we want to remind our customers of the following:

    * Citi Cards uses an Email Security Zone in all of our email to help you recognize that the email was sent by us. Customers should check the Email Security Zone to verify that the email you received is from Citi and reduce the risk of personal information being “phished.” To help you recognize that the email was sent by Citi we will always include the following in the Email Security Zone in the top headline portion of all our emails:
    * Your first name and last name
    * Last four digits of your Citi card account number
    * And recently to increase security, we have added your “member since” date located on the front of your card, where available.
    * More information about phishing is available here: learn more

    Important steps that you can take to protect your security online:

    * Don’t provide your Online User ID or password in an e-mail.
    * Don’t reply to e-mails that require you to enter personal information directly into an e-mail or URL.
    * Don’t reply to or follow links in e-mails threatening to close your account if you do not take the immediate action of providing any personal information. We may send you an email regarding your account requesting you contact us via phone.
    * It is not recommended to use your e-mail address as a login ID or password.

    If you suspect that you’ve received a fraudulent e-mail message, please forward it to us.
    Forward suspicious e-mails to: [email protected]

    If you have any questions or concerns about emails that you may receive that look suspicious, we encourage you to contact Citi Customer Service at the phone number on the back of your card.

  15. I got one from Chase. Here it is:

    Note: This is a service message with information related to your e-mail address.

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    * Don’t give your Chase OnlineSM User ID or password in e-mail.
    * Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    * Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    * Don’t reply to e-mails asking you to send personal information.
    * Don’t use your e-mail address as a login ID or password.

    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office

    If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

    Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.

    JPMorgan Chase Bank, N.A. Member FDIC
    © 2011 JPMorgan Chase & Co.

    LCEPAEM0311

  16. Lane Bryant got almost an identical email as Victoria’s Secret from WFNNB:

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Lane Bryant Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

    • I received one from WFNNB for Fashion Bug (copy of email below):

      ——————————————————————————–

      Subject: Important information about your Fashion Bug credit card account
      From: WFNNB – Fashion Bug Credit Card
      To: [email protected]
      Date:Wed, Apr 6, 2011 12:22 am

      This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Fashion Bug Credit Card account.

      Dear Valued Customer,

      Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

      As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

      Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

      Sincerely,
      Sallie Komitor
      Head of Customer Service

      © 2011 World Financial Network National Bank

  17. Here’s the Lacoste one:

    Date: Sun, 03 Apr 2011 17:31:01 EDT
    From: Lacoste USA
    Reply-To: “LacosteUSA”
    Subject: Important Information for Lacoste Email Recipients
    To: xxxxxxxxx

    Dear Lacoste Customer,

    We were recently informed by our email service provider that
    your email address may have been exposed by unauthorized entry
    into their system. Our email service provider deploys emails on
    our behalf to customers who have opted into email based
    communications from us; they have reported this incident to the
    appropriate authorities.

    We want to assure you that the only information that may have
    been obtained was your name and email address. Your account and
    any other personally identifiable information were not at risk.

    Please note, it is possible you may receive spam email messages
    as a result. We want to urge you to be cautious when opening
    links or attachments from unknown third parties. In keeping with
    best industry security practices, Lacoste will never ask you to
    provide or confirm any information, including credit card
    numbers, unless you are on our secure e-commerce site,
    shop.lacoste.com.

    We regret this has taken place and for any inconvenience this
    may have caused you. We take your privacy very seriously, and we
    will continue to work diligently to protect your personal
    information.

    Sincerely,

    Lacoste Customer Service

    ******************************************************************************************
    To speak to a Customer Service representative, please call 800-4-LACOSTE.

    Lacoste USA
    551 Madison Avenue
    New York, NY 10022
    ******************************************************************************************

  18. Thanks to you and others who are submitting copies of the ones I hadn’t seen. Much appreciated.

    • I just received this from Crucial

      On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.

      We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.

      For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.

      For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.

      We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

  19. Add Crucial to the list. Here’s the text of their alert:

    On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.

    We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.

    For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.

    For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.

    We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

  20. I received a notification from Barclay’s Bank for my USAir MasterCard. Same routine as the others. Interesting that they have often used “last 4” of the card number in some of their email communications to me in the past.

  21. From Robert Half International:

    Dear Valued Customer,

    Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

    We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

    Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

    As always, if you have any questions, or need any additional information, please do not hesitate to contact us at [email protected].

    Sincerely,

    Robert Half Customer Care

    Robert Half Finance & Accounting
    Robert Half Management Resources
    Robert Half Legal
    Robert Half Technology
    The Creative Group

    2011 Robert Half International, Inc. An Equal Opportunity Employer. For more information, please visit roberthalf.us.

    If you prefer not to receive future general email broadcasts from Robert Half International, please click here to unsubscribe. You may also mail your unsubscribe request to the address below. Thank you.

    Robert Half | Attn: Marketing | 2884 Sand Hill Road, Suite 200 | Menlo Park, CA 94025 USA

  22. Tastefully Simple too.

  23. Received this from Home Shopping Network~
    April 2, 2011

    Dear HSN Customer,

    HSN values your trust and wants to make you aware of a recent incident. We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals. This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible. We apologize for any inconvenience and have outlined below a number of email safeguards to help ensure your privacy online.

    Email scams, spam, and other attacks on email systems are on the rise, but, by taking certain precautions when receiving emails, you can continue to safely use email for your business and personal needs:

    Don’t open links or attachments from people you don’t know and trust.
    Don’t provide personal, financial, or other sensitive information when asked to do so by email. Most reputable companies do not ask for such information by email, and, rest assured, we will not do so.
    If you receive an email appearing to come from us that does ask you for sensitive information, do not respond, click on any links, or download any attachments. Instead, please inform us immediately at the toll-free number or email address provided below.

    We take your privacy very seriously and work diligently to protect your information, whether held by us or by our service providers. HSN’s internal databases, which store all customer-provided data, were in no way compromised. Our email provider has taken significant steps to further protect the limited customer information held in its databases. If you have any questions or concerns regarding this incident, please contact us toll free at 1-800-933-2887 or email us at [email protected].

    Sincerely,
    Gregg Stallwood
    Senior Vice President, Customer Care – HSN

    Please do not reply to this email. If you would like to contact us, please call us toll free at 1-800-933-2887 or email us at [email protected].
    HSN Interactive LLC | Attn: Customer Service | 1 HSN Drive | St. Petersburg, FL 33729‪

  24. My household has received emails from Target, Best Buy, Victoria’s Secret, (2) from Chase and Maurice’s… so I’m up to 6 so far… And I see names of other companies I do business with, which I haven’t received any notifications from…

    • Do you still have the Maurice’s one? I haven’t seen that one mentioned anywhere. If you have it, please copy/paste it into a comment.

      • I have received one from Maurices also:

        This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Maurice’s Credit Card account.

        Dear Valued Customer,

        Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

        As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

        Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

        Sincerely,
        Sallie Komitor
        Head of Customer Service

        © 2011 World Financial Network National Bank

      • This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Maurice’s Credit Card account.

        Dear Valued Customer,

        Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

        As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

        Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

        Sincerely,
        Sallie Komitor
        Head of Customer Service

  25. Please add “Chase” to your list. Here’s a copy of my notification:

    From: Chase [mailto:[email protected]]
    Sent: Wednesday, April 06, 2011 7:03 PM
    Subject: Please read important message about your e-mail address

    Note: This is a service message with information related to your e-mail address.

    Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    Don’t give your Chase OnlineSM User ID or password in e-mail.
    Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
    Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
    Don’t reply to e-mails asking you to send personal information.
    Don’t use your e-mail address as a login ID or password.
    The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

    Sincerely,

    Patricia O. Baker

    Senior Vice President

    Chase Executive Office

    If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

    Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.
    JPMorgan Chase Bank, N.A. Member FDIC
    © 2011 JPMorgan Chase & Co.

    • Curious about Chase’s notifications – most people seem to have gotten them on April 6, but that appears to be a second round or batch. I got notified by Chase on April 4. Same email, but two days earlier.

  26. Thanks for working through the process of identifying specific companies by asking people to submit their specific emails…

    …but why is this really necessary for end-users to do anything to identify whether specific companies were affected?

    Epsilon had a breach.

    They know the extent of the breach, and how many were effected.

    They have tried to remain out of sight in all their communications, other than their astonishingly dis-respectful paragraph and a half where they claimed only a small portion of anything was their responsibility.

    Why should all these companies have to just guess and assume that they were affected, and put out vague, nebulous, odd emails to their clients that really only say: “we might have had a breach, but we don’t really know exactly what happened, but we’re putting on the smile-ly face anyway because Epsilon told us to in a two paragraph response to our inquiries”?

    The other part is the companies on the list who haven’t bothered to even send email list people even the most basic “we’ve been notified of something” email.

    This whole episode requires a congressional inquiry about why this happened.

    I really don’t care if this gets taken on by either the nut-case dems or the equally nut-case reps on the other side.

    This was identified as happening over a week ago, and since that time, Epsilon has totally not given up anything new about the extent of the breach, or provided actionable information for its hundreds of downstream major companies, and the millions of affected users at the end of the chain to do absolutely anything.

    This is very, very wrong.

    • Some members of Congress have taken note and are calling for some answers. Some states’ attorney generals will likely conduct their own investigation, too. Epsilon/Alliance will have a “lot of ‘splaining to do, Lucy.” But at the end of the day, will anything change going forward?

      Right now the consumer focus is on protecting ourselves. What we need to do is find our collective voice and use this to advocate for meaningful change – including what is considered “personally identifiable information” and how long businesses can hang on to data for after we terminate a relationship with them or opt out.

  27. I have received emails from 1800Flowers.com and USBank concerning the breach. Here are copies of the emails I received from these two companies. Such a shame this has to happen.

    Dear 1800Flowers.com Customer:

    One of our email service providers, Epsilon, has informed us that we
    are among a group of companies affected by a data breach that may
    have exposed your email address to unauthorized third parties.
    It’s important to know that this incident did not
    involve other account or personally identifiable information.
    We use permission-based email service providers such as Epsilon
    to help us manage email communications to our customers.

    We take your privacy very seriously and we work diligently to ensure
    your private information is always protected. Epsilon has assured
    us that no private information, other than your email address,
    was involved in the incident. We regret any inconvenience
    that this may cause you.

    Because of this incident, we advise you to be extremely cautious
    before opening emails from senders you do not recognize.

    We thank you for your understanding in this matter.

    Sincerely,

    Bibi Brown
    Director, Customer Service

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
    http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

    In addition, if you receive any suspicious looking emails, please tell us immediately.
    Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

    The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

  28. This is the first that I’m really hearing anything about this matter. I have received such emails from both Chase Bank and Walgreen’s Pharmacy. Since it sounded to suspicious, I simply deleted the emails as spam. Sorry, I didn’t keep them for you.

  29. for Victoria secret
    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Victoria’s Secret Credit Card Account.

    Dear Valued Customer,

    Your privacy is extremely important to us, and we wanted to share the following information with you. We discovered that an unauthorized party has gained access to files containing email addresses associated with several companies including Victoria’s Secret credit cards.

    While your email address and/or name may have been included in these files, no sensitive financial or other personal information was compromised. However because of the circumstance, you may receive spam emails. We sincerely apologize for any inconvenience this may cause.

    For your security, we remind you to never provide personal information to unknown individuals/businesses online and avoid opening suspicious email links or attachments.

    Again, we are very sorry that this occurred and are working diligently to maintain your trust. If you have any questions or need further assistance, please call the WFNNB Customer Service Center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

  30. Got one from Express today.

    We were recently notified by Epsilon, a business partner used to send emails for the Express Credit Card, that an unauthorized party from outside of their company had accessed files that included the names and e-mail addresses of current and former Express credit card holders. We are still investigating this incident with Epsilon and World Financial Network National Bank. They have assured us that no financial or account information was accessed and the data security breach was limited to only names and e-mail addresses.

    Because we take privacy and security seriously, we felt it important to notify our customers as quickly as possible to remind them that Express and World Financial Network National Bank (WFNNB) will never request personal information or account login information via email.

    If you receive an email that appears to be from Express or World Financial Network National Bank asking for personal or financial information, do not respond to that email. Instead, please call the customer service center at the phone number listed on the back of your credit card. As always, you should be cautious of any e-mail message requesting personal information and should not open attachments or click on links from an e-mail unless you know it is from a trusted source.

    We apologize for any inconvenience this may cause, and we will keep you informed of any updates as necessary.

    Sincerely,

    Express

  31. Important information about your J. Crew credit card account
    Wednesday, April 6, 2011 12:15 AM
    From:
    “WFNNB – J. Crew Credit Card”
    To:

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your J. Crew Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

  32. Play.com

    • You got a notice this week from Play.com that mentioned Epsilon? Are you sure? As far as I know, Play.com uses a different ESP.

  33. We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.

    We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk.

    We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result. We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    Marks and Spencer plc. Registered office: Waterside House, 35 North Wharf Road, London W2 1NW.
    Registered number: 214436 (England and Wales)

  34. Received a call from someone on Monday night saying they were from Chase and asked for my husband by name. When he asked if this was a sales call they said they were having computer problems and would need to call him back. He contacted Chase, gave them the toll free number that came up on our caller I.D., and told them what happened. They confirmed that the number was not one of theirs. Here is the number 800-522-9841. Our only guess is that the call goes hand-in-hand with the breach.

  35. Here’s one from Chadwicks:
    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Chadwick’s Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

  36. Add Home Depot.

    I also had my Wells Fargo bank acct online info hacked at around the same time. Had to cose all my accts. I wonder if this is just coincidence.

    • That’s the WFNNB Home Depot card, correct? Have that one already, but thanks.

      And yes, there are many things that most likely are coincidental. There’s no report that Wells Fargo was involved in the Epsilon breach – at least, none that I’ve seen so far. I have had a report of Wells Fargo canceling cards, but they didn’t seem to know what merchant had been breached. When was your WF account or card compromised? Are you in Minnesota, by any chance? Feel free to email me with more details on the WF incident at breaches[at]databreaches.net

  37. I received a suspicious-looking email that is supposedly from Intuit, and believe my information was obtained because I use QuickBooks and have an account.

  38. what do you suggest? Make a new email account and make changes to all credit cards/bank accounts?

    • I use vendor-specific email addresses. In other words, I have a store/vendor-specific email address for every account I open. That way, if there’s a problem or something suspicious, I can know where to investigate and can just cancel the email address without all of my other accounts being affected.

      So if I were you, I wouldn’t open a new email account that you give to all stores, because this could just happen again (and probably will, unfortunately).

      I think Gmail allows you to create tagged email, e.g., if your account is [email protected], you can use [email protected] and sign up with maurice’s using that email address, while you use [email protected] for dealing with Target, etc. etc. I’ve never tried it and I think I read that not all merchants will let you use an email address with a “+” in the email address, but you might want to look into it.

      I actually prefer a for-fee service that allows me to create addresses “on the fly,” instead of having to go into my email settings to create the username. Check out http://www.cotse.net. If I’m on the phone with JACKDOE and they say, “What’s your email address?” I just tell them “[email protected][myusername].cotse.net.” And if I don’t want to hear from them forever, then I can give them an automatically expiring email address like [email protected]{myusername}.cotse.net – any email sent to that address will not be delivered to me after May 31, 2011. That way, even if some marketer keeps my data forever, I won’t be bothered by them – or harmed by attempted phishes, etc. The service also has other great privacy features that I respect.

      I think you’re wise to try to change things going forward, as we’re not done with this problem and those who haven’t protected their primary email address(es) may see a lot of spam or phishing attempts for a long time to come.

  39. I received an email from PotteryBarn/Kids/Teen via World Financial Network National Bank (WFNNB) which I didn’t see listed above. I’ve pasted the email below:

    Dear Valued Customer,
    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

  40. I got ten fraud emails from UPS, DHL, and Fedex The UPS ones say “A package is being shipped to your home” So here are some more to add, and I know if I looked now that you have brought this to light I would find a lot.

    • I’ve been getting those UPS, DHL, FedEx ones for ages now, and those companies have not indicated that they are clients of Epsilon, so unless those data were acquired in an earlier breach, they’re probably not related to this breach. But thanks!

  41. An important notice from New York & Company
    Saturday, April 2, 2011 8:44 AM

    Dear New York & Company Customer,

    Yesterday, we were informed by our email service provider that your
    email address was exposed by unauthorized entry into their system. Our
    email service provider deploys emails on our behalf to customers who
    have opted into email based communications from us. We want to assure
    you that the only information that was obtained was your name and/or
    email address. Your account and any other personally identifiable
    information were not at risk.

    Please note, it is possible you may receive spam email messages as a
    result. We want to urge you to be cautious when opening links or
    attachments from unknown third parties. We also want to remind you that
    we will never ask you for your personal information in an email.

    We sincerely regret this has taken place, and we apologize for any
    inconvenience this may have caused you. We take your privacy very
    seriously, and we will continue to work diligently to protect your
    personal information.

    Please visit http://faq.nyandcompany.com for answers
    to some frequently asked questions about this incident.

    Sincerely,

    New York & Company

  42. Is this one? …It’s “from” GE Money Bank

    You applied for a Wal-Mart Credit Card credit account between September XXXX and November XXXX. We discovered a delivery error that may have caused you not to receive our email response to your request for the Credit Account (Reference Number XXXXXX). We apologize for any inconvenience this may have caused.
    Please click here to review on our secure site the response we previously attempted to send you. If you have trouble opening this within your email system, copy the link below into a new browser and hit enter. This will bring you to an authentication screen where you will be asked for credentials.

    [url deleted by DataBreaches.net]

    We apologize for the length of the link but it is necessary for security purposes.

    Sincerely,

    Wal-Mart Credit Card Services

    Note: This email was sent to you by GE Money Bank, the issuer of your Wal-Mart Credit Card account. You may receive account servicing emails even if you have requested not to receive marketing offers by email for your Wal-Mart Credit Card Account. GE Money Bank is located at 170 West Election Drive, Suite 125, Draper, Utah, 84020, USA.

    • Not related to Epsilon breach, it seems, but looks like a phishing attempt, which is why I deleted the url they included.

      • Thanks – I thought about that as I hit send. I forwarded to GE Money for review after finding an email address on the net to report such emails. Could not figure out if it was related to this breach or not. Appreciate your time and efforts in putting together this list!

  43. Capital One:

    Dear Capital One Customer,

    As we have communicated over the course of the last week, Epsilon—a marketing vendor that sends e-mails on our behalf—notified us about unauthorized outside access to files that included Capital One® customer e-mail addresses.

    The information obtained was limited to the e-mail address of some customers. No account information or other information was compromised. We’ll continue to provide updates when we have important new information to share. And, we’ll let you know what impact, if any, these developments will have on you.

    Protecting our customers’ information is always a top priority for Capital One. We’re working with Epsilon and law enforcement, and we’re thoroughly investigating this incident to help prevent future ones like it. Epsilon is also conducting its own comprehensive investigation in cooperation with the appropriate authorities.

    It’s always a good idea to ignore any e-mail that requests your confidential account or login information. And don’t forget, if you get an e-mail you think is suspicious, don’t click any of the links. Just send it to us at [email protected]. Then delete it.

    We apologize for any inconvenience this unfortunate incident has caused and appreciate your patience. For more information, please visit our Web site at http://www.capitalone.com.

    Sincerely,
    Capital One

    Beachbody:

    Dear Beachbody® Customer,

    Beachbody’s email service provider, Epsilon, has recently informed us that your email address may have been exposed due to unauthorized access of Epsilon’s system. We’ve been told that this unauthorized access was limited to only name and email addresses of some Beachbody customers, with no other information accessed.

    As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.

    We recommend that you always be extremely cautious with emails from persons or entities you do not recognize or know, and specifically:

    Don’t open links or attachments from third parties you don’t know or recognize;
    Don’t provide any personal or other sensitive information by email to third parties you don’t know or recognize; and
    Don’t provide a credit or debit card number, bank or other account details, or any other financial information by email to any third parties you don’t know or recognize.
    We regret that this incident has occurred and apologize for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

    Please don’t hesitate to contact us with any questions at [email protected].

    Sincerely,
    Jonathan L. Congdon
    President, Beachbody, LLC

    Hilton Honors:

    Dear Customer:

    We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

    • Do not open e-mails from senders you do not know

    • Do not share personal information via e-mail

    Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of “phishing” e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at [email protected].

    As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.

    Sincerely,

    Jeffrey Diskin
    Senior Vice President, Customer Marketing
    Hilton Worldwide

  44. I don’t know why they have my email on file, I don’t have any accounts with this company.

    We were recently informed by Epsilon, a marketing vendor used by Stonebridge Life Insurance Company and its affiliates to send emails, that an unauthorized third party gained access to email files of a number of Epsilon’s clients, including our email lists. For your security, you are receiving this notice from us because Stonebridge Life Insurance Company or its affiliates has sent you information via email in the past using Epsilon as our vendor.

    What information was accessed?
    Your email address and first name has been accessed. No other personal information regarding you was accessed.

    How does this impact you?
    In all likelihood, this will not impact you. However, we recommend that you continue to be cautious of unwanted emails, emails that contain links with potential viruses or emails prompting you to provide personal or financial information. We urge you to be cautious when opening links or attachments from unknown third parties.

    What is Epsilon doing about this?
    Epsilon has notified us that they have identified the cause of the breach and have taken the necessary steps to prevent additional data access. Epsilon has reported this incident to the appropriate authorities for investigation.

    We sincerely regret any concern or inconvenience this may have caused you. Your privacy and the security of your information is a top priority for us.

    Sincerely,

    Stonebridge Life Insurance Company and its Affiliates

    2700 West Plano Parkway ● Plano, Texas 75075-8200

    • That’s the first reference to Stonebridge that I’ve seen, thanks! Your experience demonstrates once again that consumers often have NO idea what companies are holding their information. Theoretically, Stonebridge might have bought an email list from somewhere else that they use to initiate marketing contacts. I’m not saying that they did – just that we never know how data gets sold and re-sold, etc.

  45. We have been informed by Epsilon, a provider of Verizon’s email marketing services, that your email address was exposed due to unauthorized access to its systems. Verizon uses Epsilon to send marketing communications on our behalf.

    Epsilon has assured us that the information exposed was limited to email addresses, and that no other information about you or your account was exposed.

    As always, you should be cautious when opening email links or attachments from unknown or suspicious parties, or emails purporting to be from Verizon and asking for financial or account password information. It is our policy to never ask for this information in emails. If you receive such emails, do not reply to them. You can report suspect or unwanted emails to Verizon at [email protected] and can obtain more information on how to protect against spam and phishing attacks on Verizon’s Privacy Policy page by clicking on “Tips for Guarding Your Information” located at the top right hand corner of the page. Our privacy policy can be found at Verizon.com/privacy.

    We regret any inconvenience this may cause you. Please be assured that we take the privacy of your information very seriously.

    Sincerely,

    Verizon

  46. I’ve had 7 notices…. here’s 2 of them.

    ——————————————————

    Dear Valued Customer,

    Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

    [snipped by DataBreaches.net]

    Robert Half Customer Care

    ——————————————————————–

    Dear 1800Flowers.com Customer:

    [snipped by DataBreaches.net]

  47. Dear “Dissent”,
    Have read through the list and can’t find the company that I’ve received four spurious emails from in the last week, Western Union.
    I reported the messages as spam to Yahoo and Chase bank because I’m one of their customers. Chase replied that the Western Union messages had nothing to do with them nor Epsilon. I wonder…
    Here’s the latest message received today :

    — On Wed, 4/6/11, ** Western Union Online ** wrote:

    From: ** Western Union Online **
    Subject: ** Your money transfer has been authorized and is now available for pick up by the receiver !
    To:
    Date: Wednesday, April 6, 2011, 11:39 AM

    SERVICE : Western Union® Money Transfer Service.

    Thanks

    [remainder snipped by DataBreaches.net]

    • These are phishing attempts that have been going on forever.

      Not every phishing attempt will be Epsilon-related, folks. You still need to be careful/cautious, but let’s not blame everything on Epsilon (even though many of us are so ticked off that it’s tempting).

  48. I received this email yesterday. This pertains to Avenue, Jessica London, OneStopPlus stores.

    This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your United Retail Group Credit Card account.

    Dear Valued Customer,

    Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.

    As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.

    Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.

    Sincerely,
    Sallie Komitor
    Head of Customer Service

    © 2011 World Financial Network National Bank

  49. It looks like the above list comes from the DREAM NJ site, which is the site that stores all clients starting from the days Bigfoot Interactive existed before it was bought by Epsilon. If this is the case, expect the list to keep growing.

  50. Another one to add to your list – I got similar email to others from World Financial Capital Bank:

    This email was sent to you by World Financial Capital Bank (WFCB). WFCB issues your Smile Generation Financial Credit Card account.

  51. I too receive an email that Epsilon has my email addresses from my creditor but I just ignore it, I did not realized that this really big issues. How to get rid of this Epsilon when they already have our email addresses or info of our creditor?

    • Good question. I’d say contact your creditor, tell them that you’re furious with them for using Epsilon and that you want them to get your data totally removed from Epsilon if they want to keep your business. Not just opted out, but removed. And that you never want any of your information sent to Epsilon again.

      It’s worth a shot. 🙂

      • Thank you for your reply earlier.
        I just got an email from Home Depot saying my email had been changed. I called immediately and they said “someone” logged into my account two days ago although nothing seemed to be changed. I was furious that they never notified me of being part of this breach. His comment was that they only notified those emails that were breached. Any email account with them should have been notified as we see now “someone” logged in??? He could care less.
        I closed my card with them.

        I also want to paste an email below to see if this (Career Builders) could be part of this mess: maybe not but I didn’t like the comment “So, it is strongly recommended for you to give us the necessary information about yourself ASAP”

        From: “Merrill Christensen”
        To: (my email appeared here)
        Sent: Thursday, April 7, 2011 9:07:36 AM
        Subject: Work for (my name appeared here)

        To whom it may concern, my name appeared here.
        Our company is pleased to offer you the capacity of Secret Shopper in MarketPlace Force Shop. After coming across on your resume at CareerBuilder online. Our staff office did its best to scrutinize your autobiography and remained to be pleased. We hope that your skills will be among our most valuable assets.

        Necessary Criteria for being employed:

        Age: older than 24
        Internet access
        3-5 hours of free time every day for taking your professional capacities
        Certtificate of no criminal record

        Job Benefits:
        As it goes, Secret Shopper is an ideal way for employees to draw profit in the process of providing feedback, making comments, making of, commenting out to organization. This is a real potential for you to get to the top of the career enjoying things you like above all. For instance, one may lunch in cafe or purchase things in shops reveling in life and helping corporation at the same time.

        Remuneration:
        Your every month wages may reach $1,500-2,000.

        Time Limitation of the Position:
        On account of the great amount of designees for this position, this capacity is time-bound. So, it is strongly recommended for you to give us the necessary information about yourself ASAP.

        To become the contributor of our establishment:

        Please go to our site: MarketPlace Force Shop
        Register yoursel
        Download, read browse thoroughly a contract and underwrite it without fail.
        Tell us the closest Walmart shop to you. Specify the exact address. Five shop are max.
        In underwriting this employment offer, you confirm that your work will be on at-will basis and waive any complaints against MarketPlace Force Shop and its staff.

        About MarketPlace Force Shop:
        Our corporation is drawn in collaboration with other corporations to make better grade on an international scale by applying anonymous resources. We work in a team with over 300 businesses world-wide. Our main work includes marketing and cooperation with merchandising firms, private investigation companies, training organizations and other establishments that are drawn in Secret Shopper services. Our member corporations deal with their consumers in order to ascertain the medium of modernizing level of service industries.

        Regards Best wishes

        • 1.If that email address was linked to your Citi-issued Home Depot Card, you might want to call Citi and tell them what happened and ask why you hadn’t been notified – and that maybe they need to notify more people, etc. It sounds like you spoke to Home Depot, but it was Citi that sent out the notifications about Home Depot cards/email addresses.

          2. To all readers: if you get an email alert/notice – learn to check the headers and path of incoming email so you can determine if the email is really from the person in the “From:” line. If in doubt, look up the phone number of the company or use the phone number on your credit card to call them – not any phone number given in an email.

          3. Your other email sounds like a scam/phishing attempt. Unless it was linked to a breached email address, it’s hard to know why you got it now, but you were wise not to respond to it.
          3.

  52. The British press were also reporting that Play.com and Tripadvisor are customers of Epsilon.

    • Then with all due respect to the British press, I think they’ve erred. As far as I know, Play.com uses SilverPop, while TripAdvisor.com uses ExactTarget.

      If I’m wrong, I hope Neil Schwartzman of CAUCE jumps in to correct me as I need a scorecard by now to keep all of the client-ESP relationships and breaches straight! Or even better, maybe Play.com, TripAdvisor.com, SilverPop, and/or ExactTarget will jump in if I’ve unintentionally erred.

      Note that I’m not saying that Play.com and TripAdvisor.com haven’t had recent breaches. They have. I just don’t see any evidence that those breaches are Epsilon-related.

  53. Epsilon was part of equifax until the data part of the business was bought/sold.
    This could be worse then you want to think about.

    • True, but until forensics are in, we really don’t know whether this was “just” names and email addresses, either, do we?

      • It is NOT just email addresses as I found out today. I would like accountability as well. I am furious at this mess and lack of security measures as well as the complete STRESS this has caused me now that my BANK called to say they had to shut down my card due to fraudulent activity apparently from this mess at Epsilon. All the companies that were involved having my email sent me emails about this breach. Even more furious that all the emails say only my email was affected NOT any financial information which is TOTALLY FALSE! I received a call from my bank as well as sister from a totally different bank that they had to close our debit/credit cards due to fruadalent activity from Portugal and Oklahama immediately after I was notified of Epsilon having my emails breached by several of their companies. Be aware that your credit cards have been breached.

        • What/which bank called you? Was this a store-branded credit card? If so, which store?

          • Citadal and TD Bank called my sister and I with this type of activity. Both of us previously received emails from companies about Epsilon and getting our emails.
            If it helps: Two of charges (and the bank said ALOT of other members)are mostly seeing charges from Portugal and Oklahama. The charge from Portugal was only for $69 so they are thinking if it’s not large people won’t notice. It was from a company named Asaberas according to the bank. The OK. charge was from a place called the Cliff for slightly more money. If anyone has similar charges, please comment. I am going to report this to Epsilon as well as I have been calling all the companies affiliated with my account information to notify them as well. This is no coincidence.

          • I know you may not want to hear this, but what you’re describing could be simply a merchant breach – like a hack of a restaurant or retailer – or even ATM skimmers at gas stations. I’ve had reports from a few areas around the country where we don’t know where the breach was yet but there have been a number of fraud reports. If you want, email me privately and tell me what city/state or part of the country you’re in and I’ll let you know if there are other reports from your area that pre-date the Epsilon breach. Or you could search the rest of DataBreaches.net for your state to see if I’ve recently reported any breaches.

          • Thank you for the info but I believe this is due to this breach. This was NOT a store branded credit card.
            This is too much of a coincidence that both my sister and I received emails re: Epsilon from companies we deal with then two different banks for each of us called us with these fraudulent charges right after this happened. If anyone else has charges from Portugal, please let me know. I will find out if this is from Epsilon. Keep an eye on your charges.
            I was informed there are alot of consumers with the same charges,that is how they had it flagged and called me before it hit my account.
            I am outside of Philadelphia, PA.
            Do you work for Epsilon? I ask since you say “you get reports from areas around the country where WE (plural) don’t know where the breach was yet”. Your signature “admin” gives me the impression you work for a company that is dealing wit this breach?

          • Do I work for Epsilon?! Surely you jest. The “admin” means that I am the administrator of THIS blog, DataBreaches.net, a non-commercial blog set up to inform the public, researchers, and interested policy makers about breaches going on all over on a daily basis.

            The “we” refers to me and people in other organizations who also get reports of, tips about, and track data breaches. I’m a curator for, and researcher for, the Open Security Foundation/DataLossDB project (http://datalossdb.org) and network with the Identity Theft Resource Center and others. Sometimes we get leads or hear things that do not get posted publicly because there’s not enough details or information yet and we may check around with each other to find out if anything knows anything more. If you were a regular reader of this blog, you’d see that there are often media reports about a rash of card fraud where cards are being used outside of the consumer’s state or country. The media reports the rash of breaches even though law enforcement locally and nationally has not yet figured out what the common point of compromise was in the breach. I’m just pointing out that your situation may be one of those situations.

            There have been a lot of people claiming all kinds of things in the aftermath of the Epsilon breach. Some of them may be correct in attributing it to the Epsilon breach, but many of them may just be attributing other breaches to Epsilon.

            Timing isn’t everything. Some things are coincidences. Breaches go on all of the time. Maybe eventually you’ll learn whether what you experienced really does flow from the Epsilon breach. If you do, I hope you’ll let us know. For now, though, I just want people to keep in mind that not all spam and not all card fraud and not all phishing attempts are due to Epsilon, who have a heck of a lot to answer for even without these reports.

  54. I found an e-mail in my spam box that I havent seen before from Express Delivery, I dont know if it has to do with this, but I didnt see them on the list and thought I would post it just in case, it came with an attachment to download(which I did not)–

    from–
    ExpressDelivery system

    Dear customer

    The parcel was sent your home adress
    And it will arrive within 10 business days

    More information and the tracking number
    are attached in document below.

    Thank You

    © Delivery Express 1995-2011

    • Phishing attempt yes, but it’s hard to know whether something is truly linked to any specific breach or source unless the email was sent to an email address that the consumer used for one – and only one – store or merchant.

      • I’ve received “ExpressDelivery” phish prior to the Epsilon Breach, so there’s no connection there. It’s also probably not unreasonable to assume that phishing attempts which stem from the recently leaked Epsilon data would more aggressively use some of the data at their disposal (i.e., addressing you by name and posing as one of Epsilon’s affected clients).

  55. The USPS should also be on this list. I received a similar email at Janie for a package that I didn’t order.

    • USPS should not be on this list. This list is for entities affected by the Epsilon breach – not for all garden-variety phishing attempts. Let’s keep the purpose of this list in mind, please. 🙂

  56. This is a RBC Bank rewards Phishing email. The link you posted to send an email to report the phishing attack is invalid. I.E. [email protected] It was returned undeliverable…

    Here is the sender info from the email…

    RBC Rewards [[email protected]]; on behalf of; RBC Rewards [[email protected]]

    I have never received a quartley RBC rewards email before yesterday…

    • The correct(ed) email address to report a phishing attempt is [email protected]. Sorry for the typo in the address.

      I haven’t seen RBC Rewards listed anywhere as being involved in the Epsilon breach. If you see anything like that, please let me know.

  57. I love that in the notifications that were received we were advised on how to keep our data safe. Wouldn’t it have been better to include some detail on how THEY were going to keep our data safe.

    • I can’t agree more. They are responsible for this. As I said earlier… technology changes too quickly before they update security measures.

  58. This sharing of information probably falls within the Privacy policies of these companies. They’re all a little different, but very similar. I, of course, can’t keep up with each companies policy and sometimes you can opt out of some of the info sharing, but I think it’s more on the marketing side. My understanding is that Epsilon does some type of data processing for these companies and probably the only way to avoid them would be to not do business with these companies. That being said, then you go to another company and I’m sure the same potential probably exists there, as well.

    • Sharing which companies are affected and sharing the emails/names are entirely two different things. THE FORMER NEEDS TO BE DISCLOSED.

  59. We have a petition going demanding accountability from Epsilon, et. al. regarding this whole mess at epsilonbreach.com .

  60. I recieved a letter from Buckle as well.

  61. What about guys who have registered in the casinos online, are they also affected. cause i have registered my credit card ib one of them and my identity to many of the casinos. Will they breach the information?

    • I haven’t seen anything that lists any casino clients. Of course, Epsilon hasn’t disclosed exactly which clients are affected and whom they notified. It’s possible that they notified a company that decided not to notify its customers. That said, Epsilon insists that the only data acquired were the name and email address associated with it.

  62. Thanks but that’s already on the list.

  63. I am frustrated by this breach of privacy. Who even knew that they had access to this information from so many companies. I have received multiple emails from CollegeBoard, Chase, and Scottrade about this and it is scary and troubling. I wish everyone affected would download the ComplainApp from http://www.complainapp.com or the android marketplace and let Epsilon know what they think about it.

  64. You can add two more to this list. I got notices today from M&T Bank and Quality Health.

  65. You might want to add livestream.com to the breach list.

    Quite possible that (livestream.com) may be handled by the same sub or Epsilon directly. Got an email today for their “Spring Cleanup” but the links in the email are identical, dead, and the domain name is :

    list-manage.com

    the full link:

    http://livestream.us1.list-manage.com/track/click?u=75fxxhghb40xxxxxxx3xxx42xxxxx=127xxxxx&e=03c0bcxxxd

    xxxx’s were added justin case those numbers could be used in the wrong way.

    Also, other than having the email and username correct (also taken out for possible security reasons), the links provided are identical (carbon credits and spring cleanup are indentical, too), links are all dead, too. NO mention anywhere in the site for this new Spring Cleanup as it is called. No mention nor concern in their forum. No messages from the admin or the company – something this important one would think a mass internal account email would have been part of the push, if true.

    livestream is pretty big, and I can see some validity and logic in requiring ust what the email asks for, however no mention anywhere on their site is too odd.

    • You’re the first to mention them. That tracker ID doesn’t work because of the redaction. Could you possibly post the text of the email you rec’d with the date of their email to you? Omit your name and email address, of course.

  66. OK, I traced it back to MailChimp. Perhaps they too are breached?

    • MailChimp? That’s interesting if you were using a vendor-specific email address, as it seems you were from another one of your comments. As I mentioned, the url you provided doesn’t work due to the redaction. Could you either post what you got (redact your name but leave any +tag unless it reveals your identity), include the date and their message and sig.

      There have been a number of breaches involving ESPs. MailChimp is not among the names I’ve seen mentioned, but it’s worth checking into, certainly.

  67. Please however, keep in mind, the email sent did have our correct username and exact email ([email protected])

  68. I did some digging due to the email notifiers I was getting and there are more clients that Epsilon hasn’t publicly admitted to:

    http://defendourfree…nformation.aspx
    Epsilon and Personal identifying Information

    http://defendourfree…of-epsilon.aspx
    Reed Elsevier is a Customer of Epsilon

    http://defendourfreedoms.net/2011/04/07/another-customer-of-epsilonâ€�“equifax.aspx
    Another Customer of Epsilon is Equifax

    From reading their press releases on these other clients, Epsilon does telecommunication contacts as well as direct mailing. So that means they have more then emails and names. They also had some joint releases with their parent, Alliance Data. Alliance Data works with FirstData in payment and billing processing. If that is a shared database with Epsilon, then they have financials. Epsilon’s TotalSource Plus database software system says it is a centralized database. Software description posted here: http://defendourfreedoms.net/2011/04/09/epsilons-total-source-database.aspx

    • Epsilon has many clients, but they’ve said that only a small percent of their clients were affected by this breach. If you know of specific clients that were affected by the breach that have not been included in the list I have compiled, let me know, but with over 2,000 clients, just mentioning who their other clients are doesn’t really add anything. Similarly, there’s no doubt that these other databases exist, but Epsilon and ADS deny that they were breached. Do you have any indication that they have been breached?

      • I have no indication that anything more happened then what they stated. I have personal knowledge of how database bases in general work and my point of posting their information on the TotalSource Plus software they use to manage their data counters what they have said publicly. So my posts are for all of us to take that under advisement. Their information says their data is centralized. That means the mailing is not a separate database.

  69. How many more do you think have been affected by the breach?

    Please add Polo Ralph Lauren to your Epsilon-breach list.
    Just got this email msg, Wed. April 13, 2011, 8:40PM from Ralph Lauren Customer Assistance:
    ============================================================================================
    From: Ralph Lauren Customer Assistance
    Subject: Important Message from Polo Ralph Lauren
    Date: Wednesday, April 13, 2011, 8:40 PM

    RALPH LAUREN CUSTOMER ASSISTANCE
    If you cannot view this message, click here.

    To our valued customers,

    Polo Ralph Lauren’s former email service provider, Epsilon, recently informed us that an unauthorized third party gained access to an Epsilon email application and obtained names and email addresses of Polo Ralph Lauren customers. We have been informed by Epsilon that the company took immediate action to address the system vulnerability and is working with the U.S. Secret Service to investigate. We regret that you may have been affected by this.

    Epsilon has assured us that no information other than name and email address was acquired by the unauthorized third party. No payment card information or Polo Ralph Lauren account information were acquired as a result of this incident. Nevertheless, we strongly encourage you to remain vigilant when reviewing emails that you receive, particularly emails that request sensitive personal or financial information. We take our obligation to safeguard your personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself.

    Consider these tips to help protect your personal information online:

    • Do not provide sensitive personal or financial information using email. Email is not a secure method for transmitting such information. Please be aware that Polo Ralph Lauren does not send emails to its customers with a request to provide or verify sensitive personal or financial information.

    • Do not open emails from senders you do not know.

    We hope this information is useful to you and regret any inconvenience this may cause you. Please do not hesitate to contact our customer service center at [email protected] if you have any questions at all.

    Sincerely,

    Ralph Lauren Customer Assistance
    Privacy Policy

    RalphLauren.com is a trademark of PRL USA Holdings, Inc.

    This e-mail was sent by Polo Ralph Lauren Corporation, headquartered at 650 Madison Avenue, New York, NY 10022.

    Please address questions regarding our privacy policy to our Chief Privacy Officer, 625 Madison Avenue, Floor 8, New York, NY 10022.

  70. Does anyone know if this is a phishing attempt from the Epsilon breach?

    I sent a msg to Hilton about “[email protected] (see below), because I’m not sure if it’s a legitimate auto-response email address for “Forgot password?” on the Hilton website. So far, I haven’t heard back from Hilton.

    After I received the Epsilon-breach msg from Hilton Honors, I received email messages about signing up for Bonus Points. I forgot my password, since I don’t sign-in often. Below are the auto-response messages that I received after entering my username and email address into a form that automatically appears after I clicked on “Forgot password?” on the Hilton.com site.

    Unread [email protected] Password Request Tue, 4/12/116KB
    Unread [email protected] Password Request Tue, 4/12/116KB
    Read [email protected] Password Request Tue, 4/12/116KB
    Read Hilton HHonors 1,000 extra Bonus Points every night you’re our guest Tue, 4/12/1116KB

    I want to make hotel reservations, but I’m afraid (after I requested my password on the Hilton site) that my password and personal info on the Hilton site have been obtained by whoever/whatever is behind the Epsilon breach. I’m hoping someone can tell me that I shouldn’t be afraid or concerned. Please let me know if you were me if you would use your Hilton Honors username and password on the Hilton site to make reservations. Thank you.

    • If you went to the site on your own instead of clicking on a link in an email and saw the promotion on Hilton’s site and clicked on that link, it’s not likely to be a phishing attempt. But as to your concern about the peculiar auto-responder addresses: when in doubt, pick up the phone and call them to conduct a transaction.

      Your experience is pointing out yet more of the damage that the Epislon breach has done in terms of consumer trust. How many businesses may be losing money because people are afraid to respond to emails….

Sorry, the comment form is closed at this time.