U.S. asked to investigate Epsilon breach

E-mail services giant's data exploited by spear-phishing attack, one report states

The U.S. attorney general’s office is being asked to investigate the breach of e-mail service provider Epsilon, which sends about 40 billion marketing e-mails a year on behalf of 2,500 clients.

The company reported on April 1 that a “subset” of its client data had been exposed. Since then, many of the companies Epsilon proves services to – which includes clients such as City, Disney, the College Board and Walgreens – have notified people on their mailing lists about the breach, warning them to be on guard against phishing attacks.

The company said about 50 of its clients were affected, according to a report in Fast Company. The information stolen reportedly included names and e-mail addresses but no other personal information.

Related stories:

RSA hack exploited Flash vulnerability

The cure is known, but the cyber disease persists

Epsilon has not given many other details on the breach, but the Australian website ITnews reported that the breach resulted from a four-month-old spear-phishing attack – which Epsilon was aware of – aimed at employees of e-mail service providers.

The phishing attacks used social engineering tricks, such as an e-mail from a supposed old friend inviting the recipient to view her wedding pictures. The link to the pictures would download malware that disabled antivirus software, stole passwords and gave administrator control of the computer to hackers, ITnews reported.

In light of the potential extent of the breach, Sen. Richard Blumenthal (D-Conn.) has asked U.S. Attorney General Eric Holder to investigate Epsilon for “possible civil and criminal liability” in the incident and called on Epsilon to be more forthcoming with information.

“If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years,” Blumenthal wrote in his request.

He pointed out that Epsilon’s customers have notified people of the breach, but that Epsilon has not even released a list of the companies affected.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected