Were you affected by Epsilon data breach?

The list of companies whose customer e-mail databases were compromised because of a security breach at Epsilon is growing. We look at the consequences of the breach, and what to do about it.

Erica Ogg Former Staff writer, CNET News
Erica Ogg is a CNET News reporter who covers Apple, HP, Dell, and other PC makers, as well as the consumer electronics industry. She's also one of the hosts of CNET News' Daily Podcast. In her non-work life, she's a history geek, a loyal Dodgers fan, and a mac-and-cheese connoisseur.
Erica Ogg
3 min read

The list of customers affected by the Epsilon database breach continues to grow.

The breach, which took place last week but was announced over the weekend, compromised the e-mail addresses and some names belonging to the customers of many major U.S. companies that outsource their marketing and e-mail communications to Epsilon.

Watch this: Breach exposes clients' customer names, e-mail

The company said Monday that 2 percent of the companies it counts as clients are affected by the security breach. There is no official list of affected companies that's available, and a company spokesperson said Epsilon cannot release the names of its clients. Epsilon is in the midst of conducting an investigation of what led to the security breach.

The list of Epsilon clients whose customer e-mail addresses were stolen is not complete, and is likely to grow. But so far Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, and Best Buy have notified their own customers about the breach. Hilton Hotels and Ethan Allen are also said to be affected.

Here are some tips on what to do if you did receive an e-mail from one of the companies above or if you believe one of them does have your e-mail or name, and what could happen next.

How do you know if you're affected?
If you've ever given your e-mail address to any of the above companies, you probably are.

What will happen?
Most of the companies that are talking about it say the information that was stolen is limited to e-mail addresses and possibly names. Credit card companies and banks like Chase and Capital One say they do not believe any financial information was compromised.

But a bunch of e-mail addresses in the wrong hands means what's likely to result is a rise in phishing scams. "Phishing" is an attempt to use e-mail to try to get you to reveal more personal information about yourself. This can include usernames, passwords, Social Security numbers, or account numbers.

Many times phishers are simply guessing and will pick a company that a broad group of people does business with, like PayPal, or a government entity, like the IRS. The threat in the Epsilon case is now whoever gets access to these lists of e-mail addresses knows exactly what companies count you as a customer. That means phishing attempts can be much more targeted and therefore potentially harder to spot because they can masquerade as being from a bank or company such as the ones listed above.

What should you do about it?
Do not open e-mail from someone you don't know. That's pretty simple. But you'll also need to be extra vigilant now that phishers may know specifically where you shop, what airline you fly, or where you bank. Look at the e-mail address--if it's purportedly from one of the companies above but ends in something other than .com, especially an international domain like .uk, that's a good indication it's a scam since most phishing attempts originate outside the U.S. Also be on the lookout for spelling errors in the e-mail address, URL, or body of the e-mail, or e-mails whose tone sounds particularly urgent.

If you do open the e-mail, don't click any links. A common phishing practice is to ask people to click a link to update their personal information.

If in doubt, call the company
If you get an e-mail from one of the companies listed above asking for any information, and you're unsure if it's legitimate, you can always call them. Many retailers affected by the Epsilon breach are notifying their customers now that they would never ask for sensitive information via e-mail.

Additional resources
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov.

For more information about how to avoid phishing scams, see an FAQ by CNET's Elinor Millshere.