Readers question whether Epsilon breach was really names and email addresses only (updated to include response from Epsilon)

From comments under another blog entry, it seems clear that a lot of people are not believing Epsilon’s assurance that the breach involved names and email addresses only.

I received the following email, which I am reproducing except for redacting the name of the sender and the name of the Epsilon employee and their phone number, although that information was provided to me and to CERT:

I saw that you posted an article about the Epsilon breach and I am trying to make consumers aware of more information. Phone numbers were taken along with the email addresses. I am getting over 100 phone calls per day and nothing is being done about it. When contacting the phone company, they give me no other choice but to change my phone number. But I need my phone number for work and it would be very difficult to change it. I am sure there are hundreds of other people dealing with the same issue. At the least, people need to know that it was not just email addresses taken, phone numbers were taken and who knows what else. Epsilon lied to us.

———- Forwarded message ———-
From: [redacted] Date: Sun, Apr 10, 2011 at 7:23 PM
Subject: Epsilon breach included phone numbers
To: [email protected]

Ever since I was notified that my information was compromised during the Epsilon breach, I have been getting phone calls every 4 minutes constantly for over a week. The calls will come from random computer-generated 11 digit numbers, blocked numbers, and unknown numbers. Even though the numbers are different, they always leave the same 29 second voicemail that sounds like frequencies when adjusting an old TV antenna. I called Epsilon and spoke to [redacted employee name] at [redacted phone number], and she confirmed that other customers were getting the same types of calls and it was widespread.  However, they only reported that email addresses were taken and denied anything else. Clearly other information was taken and is still being abused.

I am blocking all calls that are not in my contact list. Here is a brief history of the calls that were blocked for 3 days.

Is anyone doing anything about this???

*********************************************
* Received and Blocked Calls
*********************************************

[A very very long list of timestamps and blocked calls was included in the email to CERT but is deleted here to save space]

In subsequent correspondence, the writer indicated that the phone calls started on March 31 around 2:00 pm ET and have been non-stop ever since. Note that the phone calls reportedly started after the breach occurred but the day before Epsilon issued its press release on the breach.

I asked which notifications s/he had received following the announcement of the breach, and s/he indicated New York & Company, Hilton Honors, and Capital One. The correspondent indicated some surprise that more notifications hadn’t been received because s/he has accounts with some of the other entities who were reportedly affected.

Epsilon  did not respond to an email inquiry sent by DataBreaches.net by the time of this publication, but if I receive a response, I will update this post.

Update: An Epsilon spokesperson responds:

As stated in our releases, the ONLY information that was comprised was email address and/or customer name.

At this point, all I’m able to share are the statements on our website as we conduct an ongoing investigation.

About the author: Dissent

3 comments to “Readers question whether Epsilon breach was really names and email addresses only (updated to include response from Epsilon)”

You can leave a reply or Trackback this post.
  1. Jill - April 11, 2011

    I am getting emails and phone calls from schools. They are small colleges or some types of tech schools. They have been calling my cell phone all morning. So irritating! Now I have to volume my phone down and check it periodically for my calls. I have no idea how I got on this list except for the Epsilon breach.

  2. Ryan - April 12, 2011

    Disclaimer: At this point I do not hold Epsilon or any subsidiaries responsible as I don’t have proof to directly link them to any state breech in my information. At no point is it my intention to blame pervious said company(s) of any wrong doing as forth such a time as there is direct proof. The purpose of this is not to libel anyone or any company entity, and the names of those involved have been removed to protect them as well. As such any information given by employee’s may differ from that of their prospective and or recordings, and shall not be used against me as this is purely for educational purposes for the general public to use at their discretion to protect themselves against fraud, and to gain prospective if they should have concern over their information. This is my account which is primary from memory and some written information as such my not be entirely accurate. By reading the following you attest that you will not hold me liable for any damages incurred or use such against me.

    Beginning on April 5, 2011, I myself starting receiving phone calls similar to what Jill has described. As of April 11, 2011 I have currently received 27 phone calls; as I have a book of documentation they range from calls from “Achieve”, “Online Careers”, “Career Learning”, “Survey Rewards”, Several colleges: “CI colleges”; others unlisted. After verifying other companies such as Monster.com, etc did not have a breech I questioned whether this was linked to the epsilon.

    On April 7th I contacted epsilon (#from website) and spoke with employee K******* who documented my case and registered it as ELEVATED and redirected me to PRIVACY department.
    Almost immediately I contacted head of epsilon privacy C**** B. and left a message on voicemail stating basically that the above calls have been coming in and I have verified that you are the only possible breach for the information, the volume of calls I have received, the nature of the calls, and that a lot of them know my full name have been phishing hard for information.

    On April 8th I receive a call back from epsilon privacy employee R***, gave me web address http://mycardcare.com//forms/email and a call back number. I asked employee R*** if it is possible that your company lost more than my email and name? He/she stated that at this time there are investigations taking place and at this time it appears that only emails and or names and ADRESSES have been compromised. When questioning R***’s slip on addresses they proceeded to tell me to steps to protect myself and spoke no further on the situation which may have just been misinformation as it has not officially been stated.

    The following steps were as follows:

    1. By telling companies to stop having third parties have access to my information I stated well that is like 6-8breaches I counted on from your hack. Employee R*** stated that actually its more like 100companies with us that probably have your information; not meaning that my information was compromised 100times but it may be possible. So I took from it that that’s impossible.

    2. By verifying that I reduce my information left open to any viewer on the internet; I stated that I have contacted a lot of companies already and they stated that it wasn’t them.

    3. That I am careful of phishing attacks, have a good antivirus and I’m careful not to push buttons to auto fill my information. I stated I have multiple antivirus software and they protect against phishing and I know this issue is not related because after questioning one of the callers they stated that on (APRIL 7 I the date of the call I had signed up for something too bad I wasn’t on the internet.) So employee R*** moved on.

    4. I show put some kind of note on my credit so I receive a call when someone is trying to open new credit and to possibly put a block on all new credit until notified. Did that as of April 11, cost me around $17 for credit report and 10dollars for the block at Trans Union, The note on credit is free and covers all three credit bureaus, however that $10 fee only covers TransUnion’s block so basically to do all three will run me $30. Sad part is I’m already $27 in and have nothing to show for it and will probably run me $47 by tomorrow but I guess a small price to pay to be protected. Not to mention the price it will cost if I have to change my Phone#.

    Employee R*** was very polite and helpful however I still question their slip up on addresses. because if they have addresses, they probably have phone#’s and who knows what else especially when directing me to put a note on my credit. Also was unresponsive as to if he could tell me for sure if I was breached and what information of mine was compromised. On a side note I visited the address given by R*** at http://mycardcare.com//forms/email they state:

    “Is my Financial information at risk? No only email
    addresses may have been compromised. We do not even
    provide customers’ financial information(such as
    credit card account number) or other personal
    information (such as mailing addresses) to epsilon
    for our email programs.”

    My response is why is Epsilon not addressing the issue itself it seems they have other companies do the dirty work of submitting press releases. And I will counter with an excerpt from epsilon’s privacy statement, which gives you an idea of what information they have which is scary considering they constantly seem like they state they are primarily emails only.
    ” Information Collection and Use
    Use by Epsilon
    This website allows you to request information
    from Epsilon. We receive and store the information
    you enter on our web site, through registration and
    other forms, or give us in any other way. This may
    include you name, the company you work for, postal
    address, email address, telephone number, marketing
    preferences, and other information.”

    So you can see that it’s scary when they have so much information especially the stated “other information” which could be SS#, CC#, Drivers Licenses#. And why do they need to know where I work?

    Some other notes about the calls:
    1. Some callers state that i signed up for things but are unwilling to give information; and when asking to be removed some comply others hang up.

    2.The information I received is they are filling out information and using what I thought I heard the telephone caller state b4 hanging up was (“[someequivilantofmyname]@freeorg.com”) which appears to be a dummy website hosting other websites. From what I understand they use are possibly using this site to dummy information through instead of their host site(s), making it probably untraceable and probably earning them money for selling my information.

    3. Some calls say I have an appt at 8pm and I need to dial a number and use an acess code. This is most likely a phishing scam to get either information or proxy my number to use to call make calls and run up my phone bill.

    4. List of Phone# callers, 8884546008, 9785702445, 3125631616, 9173985568, 9173985596, 8165812595, 8053095505, 9896070596, 3128785582, 3146275523, 5173062440, 8007930282, of course some are repeats, blocked numbers, and my tally doesn’t even include those numbers where not given because I picked up the phone before caller ID and hung up.

    ***My hope is that many of you read this as I will be commenting all over the internet and be wise with your information and steps to protect yourself. ***

  3. Wayne - April 27, 2011

    I have been getting text messages concerning free gift certificates and “unknown” calls to my cell. I have the calls blocked, but the texts are hitting a lot more often. The scary part is that they use my full name and tell me I have 24 hours to claim my prizes.. I have also seen an uptick in spam on an account that I use when signing up with companies at the stores. It is a pain… I was a little freaked out until I saw that there are others who are going through this agony. I feel for all of you and hope that this goes away sooner rather than later.

Comments are closed.