Officials Suggest Close E-Mail Monitoring After Data Breach

State officials are warning residents to screen e-mail carefully after a Texas-based company that sends out promotional materials for several major companies announced that its e-mail lists were compromised.
 
Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein are advising residents not to respond to requests for personal or account information, including login names or passwords.
 
The advisory was issued after Epsilon Data Management, an Irving, Texas company that describes itself as the “world’s largest permission-based e-mail marketing provider,” informed its clients that Epsilon’s e-mail system had been breached by an “unauthorized entry.”

Epsilon has been clear that the hacked information was limited to e-mail addresses and/or customer names. The company sad on Sunday that a full investigation is currently under way.
 
Jepsen and Rubenstein said Epsilon sends more than 40 billion emails annually to customers of its 2,500-plus clients.

Among those clients reportedly affected by the breach are Ameriprise Financial, Best Buy, Brookstone, Capital One, Citi, Disney Destinations, Home Shopping Network, JP Morgan Chase, Kroger; LL Bean, Visa Card, Marriott Rewards,  McKinsey & Company, New York & Company, Robert Half Technologies, The College Board,  TiVo, US Bank, and Walgreens.
 
Rubenstein said his concern is that customers may receive what looks like a legitimate e-mail from one of those companies. It could instead be a message sent by a scammer asking for account numbers or other information that could be used for fraud.

The e-mail may also direct the customer to a link of a fake Web site that downloads a keystroke logger or other malware or virus onto home computers, he said.
 
“Even if the only data taken in this breach are email addresses, it still poses a significant risk to consumers in terms of phishing scams and other types of Internet fraud,” Rubenstein said. “Consumers need to be particularly vigilant about not providing any personal information requested in an e-mail, even if it appears to be from a legitimate company they have business with. This includes Social Security numbers, account numbers, dates of birth, or other identifying information.”
 
Jepsen said he sent a letter to the company today requesting more information about how the breach occurred and what was being done to make sure a similar breach does not happen again.
 
“The situation also raises questions about the effectiveness of Epsilon’s measures to protect the confidentiality and security of private information that it receives from its clients and, by extension, their customers.  I am particularly concerned that breaches of this sort do not reoccur and that affected individuals are provided sufficient protections to safeguard their information from further disclosures,” Jepsen said.
 
Jepsen said he expects the company to help consumers who may be harmed by phishing scams.
 
“For a company such as Epsilon, which manages customer databases and regularly emails consumers of scores of companies, the security of consumer information is critical.  I expect Epsilon to work with and protect any consumers harmed as a result of this breach,” Jepsen said.

An Epsilon spokeswoman said on Sunday that the company does not want to get into specifics because of the investigation.
 
Assistant Attorney General Matthew Fitzsimmons is handling the matter for Jepsen.