Best Buy, JP Morgan Chase, Capital One, Kroger, TiVo, US Bank, Walgreens, Marriott Rewards, Ritz-Carlton Rewards, Citi, McKinsey & Co., New York & Co. and Brookstone customer databases hacked/compromised due to email marketing provider, Epsilon. Sources: Bloomberg, SecurityWeek.
Those are big companies who had their customer email lists hacked last week and have done a mediocre job of disclosing their security compromises. Just to give you an idea here, at least hundreds of millions of email addresses were hacked. And does anyone really know about it? You should.
They would know about it if the communications efforts were honest and not glossed over in corporate-speak. It shouldn’t take an email that tells me to watch out for spam and weak “apologies” for improperly handling of my email address to realize a massive data breach took place.
This was the message I recently received from TiVo, where I hold a lifetime membership:
And this is the message from Kroger, the parent company of Fry’s Food & Drug stores:
As the victim of a data breach, we want to have someone to blame. Unfortunately, neither TiVo nor Fry’s explained the source of the compromise, except for saying their “email provider.” As the victim, I would like to be provided a source or a central location for details. Do they have my name or just my email? Do they have my shopper or customer preferences? How widespread was this? All this and more could be explained in the email or at least on their website.
Update, 4/3/11: It looks like US Bank disclosed the source of the hack, meeting some of my suggestions listed above. [thanks @vanillarice]
Update, 4/4/11: Received an email notification from Best Buy, which also has similar details to what has been published.
And people wonder why PCI Compliance and testing matters even for something so blasé as email. This is why.
So after doing a little searching, I found a press release TiVo published which names Epsilon as the source of this data breach. For what it’s worth, I’ve yet to get word from Chase. Kroger was the first to notify me. Epsilon was the email provider in question.
And the email provider that got hacked only posted one paragraph about the incident. I know from experience, that the shorter you post your crisis communications, the more serious it is. Hopefully the feds find out the source.
A company like Epsilon could afford to learn from AWeber. After all, they got compromised twice within a year and seemed to bury people’s concerns within a week after each incident by plainly disclosing the scope of the data that was accessed. (AWeber published their security compromises on Dec. 21, 2009 and Oct. 19, 2010.) It is to be presumed that unless they provide actual numbers, their entire database was accessed.
Epsilon and AWeber haven’t been the only targets in recent years for hackers. Earlier in 2010, SilverPop was hacked and they did just as abysmal of a job communicating about the data breach. Keep in mind, they also held a massive amount of consumer data, too.
No one was prosecuted. This is the work of offshore hackers where laws are weak, jurisdiction is limited and tracking people down is near impossible. Don’t expect anyone to get arrested, because the hackers are global.
If your email marketing database gets jacked, at least pin the blame correctly. Assuming all responsibility looks very bad to your customers and prospects. Also, feel free to use a little style, tone and a sense of true regret by having a public officer of the company sign the email. DeviantArt explained this a while back and their users still respect them for it.
Of course, these are my opinions, not my employers. I’m just shocked this doesn’t make the news.
If you get more spam, you’ll know why. Expect subject line gems like “80% OFF VIA.GRA” in your inbox.
[Image credit: subcircle]