Where’s My Carrier Pigeon?

Posted by & filed under , .

So perhaps you received one of the following two email today. Let’s begin with the first. I received this early in the morning and read it in awe.

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy

This raises a number of questions. I emailed these questions to Best Buy and I’ll let you know if I hear back. When I submitted my message to them at the Contact Us page of bestbuy.com, it actually displayed an error message, so I’m not placing any bets.

1) Best Buy and its Geek Squad (which it laughingly tries to name drop in this email via a “tip”) provides computer and network security services. I’m supposed to trust them with my data?

2) Why does Best Buy outsource the sending of email to begin with?

3) There is no mention of their agreement with this third party vendor being terminated. Why would you still do business with them?

Then this evening I received another email about a different company’s email database being hacked, too. This particular company uses the same third party provider – go figure. Who IS this magical “Epsilon” that has all of the nation’s retail outlets under its mind control?

To our valued guests,  

Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement.

While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised. Target would never ask for personal or financial information through email.
Consider these tips to help protect your personal information online:

    * Don’t provide sensitive information through email. Regular email is not a secure method to transmit personal information.
    * Don’t provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email.
    * Don’t open emails from senders you don’t know.

We sincerely regret that this incident occurred. Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information. Please contact Guest.Relations@target.com should you have any additional questions.

Sincerely,

Bonnie Gross
Vice President, Marketing and Guest Engagement

Yes?

11 Responses to “Where’s My Carrier Pigeon?”

  1. Penelope Matthew

    Add 1-800-FLOWERS to the list. This is bad news. Here is what I got:

    “Dear 1800Flowers.com Customer:

    One of our email service providers, Epsilon, has informed us that we
    are among a group of companies affected by a data breach that may
    have exposed your email address to unauthorized third parties.
    It’s important to know that this incident did not
    involve other account or personally identifiable information.
    We use permission-based email service providers such as Epsilon
    to help us manage email communications to our customers.

    We take your privacy very seriously and we work diligently to ensure
    your private information is always protected. Epsilon has assured
    us that no private information, other than your email address,
    was involved in the incident. We regret any inconvenience
    that this may cause you.

    Because of this incident, we advise you to be extremely cautious
    before opening emails from senders you do not recognize.

    We thank you for your understanding in this matter.

    Sincerely,

    Bibi Brown
    Director, Customer Service”

    Reply
  2. visitor

    walgreens too! wtf


    Dear Valued Customer,

    On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

    We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon’s email system.

    For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

    We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    Sincerely,

    Walgreens Customer Service Team

    Reply
  3. Tom Arnold (Not That One)

    Class action lawsuit anyone?

    Reply
  4. Ed

    Abe Books
    American Express
    Ameriprise Financial
    Barclays Bank of Delaware
    Bebe Stores Inc.
    Benefit Cosmetics
    BestBuy
    Brookstone
    Capital One
    Citibank
    City Market
    The College Board
    Dillons
    Disney Vacations
    Food 4 Less
    Fred Meyer
    Fry’s
    Hilton Honors
    The Home Shopping Network
    Jay C
    JP Morgan Chase
    King Soopers
    Kroger
    LL Bean
    Marriott Rewards
    McKinsey Quarterly
    New York & Co.
    QFC
    Ralphs
    Ritz Carlton
    Robert Half
    Smith Brands
    Target
    TD Ameritrade
    TiVo
    US Bank
    Visa
    Walgreens

    ******
    I’ve heard this is the full list of major companies Ep. served. All of their email databases were accessed.

    Reply
  5. visitor

    ok, now i feel safe. not!


    Important Information for Capital One Customers: E-mail Fraud Protection

    Capital One was notified by Epsilon, a marketing vendor used to send e-mails, that an unauthorized person outside Epsilon gained access to files that included e-mail addresses of Capital One customers. We have been informed that the compromised files did not include any personally identifiable or customer financial information. We are actively investigating the incident and Epsilon is conducting its own comprehensive investigation in cooperation with the appropriate authorities.

    Customers are reminded to ignore emails asking for confidential account or log-in information and remember that familiar looking links in an email can redirect to a fraudulent site. If you get an e-mail that claims to be from us but you aren’t sure, or you think it’s suspicious, don’t click any of the links. Just send it to us at abuse@capitalone.com then delete it. More information on fraud prevention is available at http://www.capitalone.com/fraud/prevention/phishing.php.

    Reply
  6. Gary B.

    Now Chase Bank/Credit Cards..

    Seriously. Who let these guys run email for the entire business world?

    #####
    Chase has been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers and former customers. We sent a team to Epsilon to investigate and we are fully confident that the information accessed included some e-mail addresses, but did not include names, or any account or financial information. Because you are a former Chase customer, your e-mail address was in our database and may have been one of those accessed.

    We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

    As a reminder, we recommend that you:

    * Don’t give your Chase OnlineSM User ID or password in e-mail.

    * Don’t respond to e-mails that require you to enter personal information directly into the e-mail.

    * Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.

    * Don’t reply to e-mails asking you to send personal information.

    * Don’t use your e-mail address as a login ID or password.

    If you receive an e-mail from us that looks suspicious, please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud”. It provides additional information on exercising caution when reading e-mails that appear to be sent by Chase.
    #####

    Reply
  7. fitness chick

    I got this:

    Team Beachbody’s email service provider, Epsilon, has recently informed us that your email address may have been exposed due to unauthorized access of Epsilon’s system. We’ve been told that this unauthorized access was limited to only name and email addresses of some Beachbody customers, with no other information accessed.

    As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.

    We recommend that you always be extremely cautious with emails from persons or entities you do not recognize or know, and specifically:

    * Don’t open links or attachments from third parties you don’t know or recognize;
    * Don’t provide any personal or other sensitive information by email to third parties you don’t know or recognize; and
    * Don’t provide a credit or debit card number, bank or other account details, or any other financial information by email to any third parties you don’t know or recognize.

    We regret that this incident has occurred and apologize for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

    Please don’t hesitate to contact us with any questions at emailsecurity@beachbody.com.

    Sincerely,
    Jonathan L. Congdon
    President, Beachbody, LLC

    Reply
  8. Robert R.

    I heard that most or all of these companies do NOT have a contract with Epsilon. Epsilon offers its services in a way that can best be described as wholesale, and independent providers then resell Epsilon services to their own customers with any appropriate mark up and service add-ons. So most or all of these companies probably had no idea Epsilon had anything to do with their customer’s information and only found out after the breach occured. Either way this can only be described as a mess.

    Reply
  9. Gary V. Chuk

    Hard to believe so many are using Epsilon as either a direct provider or sub provider. Needless to say I think many companies are going to be re evaluating their providers.I just got an email from GSK (as in glaxosmithkline, the pharmaceutical company). Here it is-

    Dear GlaxoSmithKline Consumer Healthcare Customer:

    On April 4, 2011, we were informed by Epsilon, a company we have used to manage email communications on our product websites, that files containing the email addresses of some of our consumers were accessed by an unauthorized third party. You are receiving this message because you have registered on one of our product websites. For a list of our products, please visit our website, http://us.gsk.com/.

    The information accessed included email addresses and first and last names. The file from which your name and email address were accessed may have identified the product website on which you registered. We take your privacy seriously and want you to be aware of this situation so that you can remain alert to any unusual or suspicious emails.

    One of the primary concerns arising from a breach of this nature is that your information may be used to generate fraudulent email messages that may appear legitimate but are intended to gather confidential information that you would not otherwise reveal.

    GlaxoSmithKline Consumer Healthcare will never ask you to provide or confirm any personal information in emails. Do not respond in any way to emails that appear to be coming from GlaxoSmithKline Consumer Healthcare that ask for personal information. If you receive an email requesting this information, you should delete it even if it appears to be legitimate. Any unusual or suspicious emails should be deleted without opening.

    We also encourage you to take this opportunity to strengthen your passwords on any of your online accounts, particularly those that use the email address impacted by this breach as an account ID, to ensure your ongoing security. Additional information about protecting your personal information online is available at the Federal Trade Commission’s OnGuard Online website.

    GlaxoSmithKline Consumer Healthcare values your privacy and will continue to work to ensure it is protected. We apologize if you receive more than one copy of this message as we are working diligently to ensure you are aware of this situation. If you have unsubscribed from our emails in the past, there is no need to unsubscribe again. Your preferences will remain in place.

    If you have any questions about this communication, please feel free to contact one of our knowledgeable consumer relations representatives at 1-800-245-1040.

    Reply
  10. Jefferey R

    I don’t even remember emailing Target about whatever they’re responding to. That’s probably because if I did email it would have been over a month ago. What a response time. Here’s the email reply I just got:
    “Thanks for contacting us! I can confirm that the email you received from Bonnie Gross, Target Vice President of Marketing and Guest Engagement is a legitimate notification.

    Target takes information protection very seriously. As Ms. Gross’s email stated, Target was informed by Epsilon, our email service provider, that guest email addresses may have been accessed by an unauthorized party.

    We want to reassure you that no personally identifiable information, such as names and Target credit information was involved; only your email address may have been compromised. Epsilon immediately notified law enforcement, but at this time we don’t have any additional information to provide.

    You don’t need to take any action, but we wanted to notify you of this so that you’ll be cautious if you get an email that looks like it’s from us. Fraudulent email messages may ask you to give your password or personal information through email, or may provide a link to a site that looks like ours.

    Please contact your email service provider for any concerns about recent increases of spam or inappropriate activity. Because only your email information was involved in this incident, Target will not be providing compensation or credit monitoring.

    If you have more questions, please give our Guest Relations team a call at 1-800-440-0680.

    Sincerely,

    Cheryl
    Target Guest Relations
    (800) 440-0680
    http://www.target.com

    Reply
  11. Sam

    I’ve seen a lot of content talking about best practices that email providers and others need to take to prevent hackers from gaining access to data. But what I’m not seeing is best practices for marketers to take moving forward to help consumers differentiate legitimate transactional email from phishing fraud.

    This breach will make it critical that email marketers, demand generation specialists and email service providers define new emailing best practices. Do we need to change the way we provide links in emails? Do we need to eliminate HTML? How will this affect website design to help people get to the offers in our emails if they choose not to click a link in an email? How will this change the use of tracking code?

    Here is an opportunity for someone to step forward as a real thought leader and change this industry for the better.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

eight + two =

*