Data hackers score big, but ultimately do little damage

Eddie Bauer, JPMorgan Chase, and roughly 50 other major firms see their customer data breached. Customers, however, should suffer little fallout.

Crosscut archive image.

The Epsilon email data breach gave 24-hour news networks lots to talk about.

Eddie Bauer, JPMorgan Chase, and roughly 50 other major firms see their customer data breached. Customers, however, should suffer little fallout.

You probably received a disturbing email this week from a major company you frequently do business with: Best Buy, JPMorgan Chase, or Seattle's Eddie Bauer to name a few.

The language was careful, lawyerly, but the meaning was unmistakable: We've been hacked. So has your personal information.

The story spread across the 24-hour news like a tsunami: “Massive Data Breach Targeting Customers Through E-mail”; “Millions of Emails Exposed”; “Beware: E-mail from ‘Bank’ could be a trick.” 

The sky may not have fallen, however. What actually happened seems less charged than the reporting: It appears that only names and email addresses may have been stolen. What is not sitting well with some consumers is that the breach was discovered on March 30, but some companies didn't notify their customers until six or seven days later.

According to The Wall Street Journal’s account, a little-known marketing company called Epsilon Data Management LLC, allegedly one of the world's largest providers of marketing-email services to financial firms, retailers, and other major corporations, had its computer data banks breached by unknown hackers.

The breach appears to have been wide and deep. In addition to Eddie Bauer, Best Buy and Chase, the blue-ribbon companies include Disney Destinations, Target, Marriott, and Walgreens; other banks included U.S. Bancorp and Capital One. Some 50 companies reportedly have been affected.

Best Buy noted in an April 4 email to customers, “We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this."

In an April 1 press release, Epsilon said, “On March 30th, an incident was detected where [approximately 2 percent] of total clients … for which Epsilon provides email services of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk.”

A full investigation is currently underway, Episilon added.

The delayed notification of customers has some people concerned. Best Buy's email reached customers on Monday (April 4); Marriott's late Tuesday afternoon (April 5) — six days after the incident. To date, Epsilon has not published a full list of the companies that were hacked, nor has it issued any more information since its terse press release — a fact that has some bloggers less than satisfied with Epsilon’s performance.

What was stolen, however, appears to be of little value, if Epsilon's account is correct. If the actual data theft remains limited to a name and email address, the damage to consumer privacy will be minimal. If it turns out that the breach invaded people’s personal information, then the situation could be more serious.

How significant is the breach? Writer Sheryl Harris of The Plain Dealer in Cleveland said it well: “It's a big breach in terms of the number of people affected — but minor in terms of the real threat to consumers. Having your email address fall into the wrong hands is like having your phone number sold: All it means is that strangers may be able to contact you.

“The biggest danger is that you'll respond.”

The email practice of phishing — an email that looks legitimate but is actually an attempt to get you to write back and reveal private data such as your social security number — is one of the down sides of today’s digital commerce. Phishing emails are often scary, telling you that your account has been suspended unless you contact your “company” and give them certain vital information. 

If you do respond, you often wind up on a site that looks authentic, but it isn’t; the information you think is vital to them is in fact a means of doing mischief which can range from simple spamming to stealing information about your finances or medical records. It all depends on what you’re disclosing. In addition, the site could be installing vicious spyware capable of transmitting your keystrokes back to the sender.

How can you prevent this kind of identity theft?

  • Set your email spam filters at the highest level.
  • Fix the settings on your email software so you can preview the contents of an email without opening it. 
  • Be leery of clicking links in emails or opening attachments.
  • Even if the email is from someone you know, if the style is impersonal and totally unlike their usual writing style, they may also have been hacked.

Most security experts agree that the first step in protecting yourself is simple common sense. If it seems suspicious, it usually is. Ask yourself, for example, why your bank is asking for your social security number and date of birth when you know full well they already have it on file.

If you have any doubt about the authenticity of a company’s request, call the company’s billing or security company directly and ask if the request is valid. An online site called Contact Help can help you get a company customer service number. Websites have gotten coy about sharing those numbers with the public: Forcing you to talk to an automated-voice response system is so much less expensive than allowing you to talk to a human operator.


Please support independent local news for all.

We rely on donations from readers like you to sustain Crosscut's in-depth reporting on issues critical to the PNW.


About the Authors & Contributors