Just before the New Year, I received a strange email that appeared to be sent from the New York Times regarding my account. But the email referenced renewing my home delivery subscription, which I don’t have – I only have an online subscription. A few days later, I received another email apologizing and acknowledging it had been sent in error.
But more research reveals that many users received the same email and an earlier statement from the New York Times reported the emails were a result of spam, although they did not directly name the source, according to Gigaom.com. Search Security and the Wall Street Journal reported on a data breach that affected several companies, including J.P. Morgan Chase & Co. and TiVo back in April of last year.
The one common factor between the two separate incidents? All of these companies employ third-party email marketing campaign management by Epsilon Data Management LLC, a division of Alliance Data Systems Corp.
In April, Epsilon reported hackers had breached its system security and accessed names and email addresses, including personal information of more than 40 companies (Search Security reports 150 companies, including major banks, retailers and other firms). The company uses customer information to send targeted email promotions to customers of many ecommerce organizations, including Target, Best Buy, the Home Shopping Network and more.
Gigaom.com’s further research shows that the message was sent by bfio.com, a mail server registered to Epsilon Data Management.
Although no credit cardholder data or bank account numbers were accessed, this is a great concern of many of Epsilon’s clients, considering the financial and ecommerce nature of their industries. While spam emails were the only consequence of this instance, similar data breaches in which more sensitive information is accessed can result in a major PCI or HIPAA violation, and significant financial losses.