Cyberlaw, Privacy, Screw-Ups, Technology

Hackers Probably Stole Your Email Address Last Weekend

Raise your hand if you are a JPMorgan Chase customer. Now raise your hand if you’ve shopped at Best Buy. How about Citibank, Target or Walgreens?

Has everybody in the world raised their hands yet? Congratulations — your email address may have been stolen.

There was a data breach at Epsilon, a Texas-based marketing firm, last weekend, exposing the names and email addresses of potentially millions of their clients’ customers. I first found out about it when Chase emailed me. You might have gotten a similar alert from one of the affected companies.

Read part of the bank’s announcement and more about the breach, after the jump.

Here’s what Chase had to say:

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send emails, that an unauthorized person outside Epsilon accessed files that included email addresses of some Chase customers.

The theft of millions of email addresses from almost 60 companies is not as potentially dangerous as leaking credit card numbers or bank passwords, but it’s still significant. The main danger from this is an increase in “spear phishing” attacks — nerd-speak for targeted email spam.

From the New York Times:

In traditional phishing attacks, criminals email millions of people with a message that appears to be from a bank or other real business, hoping that some of the recipients will be customers of that business and will follow instructions to, for example, “update your account information.”

A spear-phishing email is far more dangerous because it can include a person’s name and is sent only to people who are known to be customers of a certain business, greatly increasing the likelihood that the targets will be duped.

I have received this type of scam email before. It is unsettling to get a message that looks and smells like spam, yet includes my name and some correct, esoteric information about my life and shopping preferences.

(You might also ask, “Does anyone actually click on spam email? Aren’t we past that?” The answer, as this study explains, is solidly, “Yes they do, and no we aren’t.”)

These days, companies — especially financial institutions — are pushing more of their business online and using third parties to handle customer data. Our own Kashmir Hill wrote an interesting piece over at Forbes about the business of data tracking and Epsilon’s part within it:

When you opt to get emails from a company or organization, you’re often asked to choose between html and plain text. Choosing the html version means more than just pretty pictures; it also allows for tracking of that email. A company like Epsilon can determine whether their client’s email is going to your junk folder, or whether you opened it (and when), and what you clicked on when reading the email.

It seems I see a big new data breach every few months. The news reports often echo what the Times said about Epsilon: “the breach may be among the largest ever.”

The Privacy Rights Clearinghouse maintains a database of every data breach since 2005. A quick glance at the list will make you shiver. Data gets out for all kinds of reasons. In addition to problems with hackers, equipment gets lost or stolen, companies inadvertently sell information to the wrong people, and disgruntled employees steal data.

Most breaches never make the news.

Large breaches are a pain in the rear for everyone involved, and they also represent a legal risk for the companies that expose the data. It’s only a matter of time before someone files a class action relating to the Epsilon breach. Even if no one finds actual damage to consumers, there may be some kind of settlement.

Depending on the severity of a breach and the actual damage to consumers, the settlements in these suits can range from several hundred thousand dollars to several million. And depending on the state, data breaches may violate privacy laws.

Kash sums the current situation up well:

I, for one, am going to be extra wary of any emails I get from Hilton Honors or TD Ameritrade moving forward. Hopefully, I don’t miss out on any legitimate free night specials. …

So kiddies, watch out for sophisticated phishers, and think twice before opting for the html version of email subscriptions.

Words for the wise. Don’t ever say we don’t give you practical advice around here!

Christopher Danzig is a writer in Oakland, California. He previously covered legal technology for InsideCounsel magazine. Follow Chris on Twitter @chrisdanzig or email him at You can read more of his work at

(hidden for your protection)

comments sponsored by

Show all comments