Data Breach Results in Email Marketing Spam

Just before the New Year, I received a strange email that appeared to be sent from the New York Times regarding my account. But the email referenced renewing my home delivery subscription, which I don’t have – I only have an online subscription. A few days later, I received another email apologizing and acknowledging it had been sent in error.

NYTimes Spam Email

NYTimes Spam Email

But more research reveals that many users received the same email and an earlier statement from the New York Times reported the emails were a result of spam, although they did not directly name the source, according to Gigaom.com. Search Security and the Wall Street Journal reported on a data breach that affected several companies, including J.P. Morgan Chase & Co. and TiVo back in April of last year.

The one common factor between the two separate incidents? All of these companies employ third-party email marketing campaign management by Epsilon Data Management LLC, a division of Alliance Data Systems Corp.

In April, Epsilon reported hackers had breached its system security and accessed names and email addresses, including personal information of more than 40 companies (Search Security reports 150 companies, including major banks, retailers and other firms). The company uses customer information to send targeted email promotions to customers of many ecommerce organizations, including Target, Best Buy, the Home Shopping Network and more.

Gigaom.com’s further research shows that the message was sent by bfio.com, a mail server registered to Epsilon Data Management.

Although no credit cardholder data or bank account numbers were accessed, this is a great concern of many of Epsilon’s clients, considering the financial and ecommerce nature of their industries. While spam emails were the only consequence of this instance, similar data breaches in which more sensitive information is accessed can result in a major PCI or HIPAA violation, and significant financial losses.

Read more about Who Needs to be PCI Compliant? and Who Needs to be HIPAA Compliant? if you’re not sure whether or not your company needs to meet national security standards.

References:
Breach Brings Scrutiny
Massive Epsilon Email Breach Could Lead to Email Attacks, Spam
Update: New York Times Email List Spammed – By the New York Times

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in HIPAA Compliance, PCI Compliance and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>