Epsilon: a watershed for an industry under siege

The attack on the e-mail service provider is part of a long-running campaign

Last week, consumers in the U.S. were bombarded with e-mail messages warning them of what may be the most widely felt data breach in U.S. history. A company that most of them had never heard of, Epsilon Interactive, had been compromised and their names and e-mail addresses had been stolen.

For a few days, it seemed that almost everyone was getting a warning message. The notes all struck the same tone: "Email files have been accessed without authorization," said one, sent to holders of the Dressbarn credit card. "You could receive some spam email messages. We sincerely apologize."

The breach left many victims uneasy, rather than outright scared. After all, these are stolen e-mail addresses, not Social Security numbers or bank account details. Brian Jacobs is a typical victim. An IT manager with the city of Rockport, Texas, he woke up on Monday, April 4 to a warning e-mail from his former employer, staffing firm Robert Half International, telling him that his e-mail address had been taken. With nothing more in the balance, Jacobs said he wasn't particularly worried, but he didn't feel good either. "When they said, 'They just got your e-mail address,' it's like, 'Well, that's what you're telling me today. Are you going to be telling me something else tomorrow?'" he said.

One thing that neither Epsilon nor its parent company, marketing giant Alliance Data, are discussing is the fact that the Epsilon breach is just the latest development in a long-running campaign to hack into the service companies that pump out the bulk of the nation's sales coupons, air miles account updates, and friendly reminders that make up legitimate marketing e-mail campaigns. There are hundreds of these companies out there, ranging from small mom-and-pop operations to large subsidiaries of publicly traded corporations like Epsilon. And over the past year, spammers have been trying to break into them with a vengeance.

"There has been a series of attacks on e-mail service providers that has been occurring since December 2009," said Neil Schwartzman, executive director with CAUCE (the Coalition Against Unsolicited Commercial Email), an anti-spam advocacy group. "About a dozen ESPs were hacked over the course of 2010."

That's particularly worrying because while Schwartzman and others say that many ESPs have been hacked, only four companies have admitted that they were compromised: Epsilon, Silverpop, AWeber Communications and ReturnPath, a company that sells services to ESPs.

With many of these attacks, the criminals target clients of the e-mail service provider. They take over their corporate accounts and then use them to send spam -- often fake Skype or Adobe reader updates that actually contain malicious software.

Schwartzman knows a lot about the problem. He is formerly senior director of security strategies with ReturnPath, which was hit by hackers late last year. ReturnPath isn't an ESP, but it sells deliverability services to more than 2,000 ESPs, including Epsilon. These deliverability services are extremely important to ESPs because they help them get their legitimate marketing e-mail through spam filters.

All of this gets turned on its head when an ESP is hacked. It's a spammer's fantasy come true. The criminal gets client e-mail addresses along with the names of companies those people do business with -- all you need for a targeted "spear phishing" attack. And by using the e-mail service provider to send out his spam, the bad guy gets a near-guarantee that his scam messages will get through anti-spam filters.

When ReturnPath was hacked, criminals stole e-mail addresses belonging to 13,000 of its users -- ESP employees and marketing professionals who had accounts with the ESPs. Some believe that a November 2009 attack on ReturnPath may have given hackers a stepping stone to launch attacks on thousands of accounts at ESPs that used ReturnPath's services.

Last year, ReturnPath said that e-mail operations employees at more than 100 ESPs and gambling sites had been hit with targeted phishing attacks. Victims would get an e-mail specially targeted to them with a link to a website that then tried to install malicious password-stealing software on their computers. "This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems," ReturnPath said in a blog posting, written by Schwartzman. "Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable."

Shortly after the ReturnPath incident, two ESPs -- Silverpop and AWeber Communications -- came forward to say that they had been hacked as well.

In many of these cases, overseas criminals apparently broke into ESP accounts and then used them to send spam. Criminals use hacked accounts to send links to questionable Adobe Reader updates, which could be pirated software, or worse -- malicious Trojan horse programs, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.

Silverpop's breach reportedly affected hundreds of companies, including McDonald's. And some of them were promptly phished and spammed by scammers looking to steal sensitive information, using the Silverpop e-mail system.

Epsilon had problems last year too. In December 2010, Walgreens warned clients that someone had stolen its e-mail marketing list and was using it in phishing attacks, asking for Social Security numbers and credit card accounts. Walgreens, which was hit again by this latest Epsilon breach, used Epsilon as its e-mail service provider at the time of the December 2010 incident, said Tiffani Washington, a spokeswoman for the drugstore chain.

All three of the compromised ESPs -- AWeber, Silverpop and Epsilon -- have business relationships with ReturnPath. However, with so many ESPs under attack for so long, it's not clear whether the ReturnPath attack can be linked to any of the other hacks, including the recent Epsilon breach, now thought to have affected about 60 companies, including Verizon, Citibank and JPMorgan Chase.

In fact there's an important difference between the recent Epsilon incident and other ESP hacks, Warner said. "The primary difference between Silverpop and Epsilon is that in the Silverpop case, criminals managed to send e-mails through the Silverpop system," he said. In the Epsilon case they only downloaded data.

But if the marketing industry doesn't address the problem, it could lead to a meltdown in consumer confidence and the possibility of government regulation, said Craig Spiezle, executive director with the Online Trust Alliance. "This is a serious problem," he said. "It's the tip of the iceberg here."

Spiezle's group, which includes marketers, Internet service providers and security companies, has been trying to encourage e-mail service providers to beef up their security game. But Spiezle and others say that while some marketers and advertising networks take security seriously, many do not. "Security was not a design fundamental of what they created," Spiezle said. "Today they've underinvested and underanticipated the impact of the cybercriminal."

It's a problem that the e-mail marketing industry would very much like to see go away. The Direct Marketing Association (Epsilon CEO Bryan Kennedy is a board member) initially wouldn't comment in detail on the problem of targeted attacks against e-mail service providers. But on Sunday, spokeswoman Sue Geramian said that the marketing industry association is putting together a special task force to look at the situation and possibly revise the group's guidelines relating to data breaches.

One veteran e-mail marketer, who spoke on condition of anonymity, said that industry opinion about whether there will be long-term backlash over Epsilon is "almost evenly divided."

"Of course they want it to blow over because if it doesn't blow over, people are going to stop clicking on 'I agree,'" he said, referring to the check boxes that customers check on Web forms to allow further e-mail contact. These are the consent agreements that keep legitimate e-mail marketers in business. He added, "Some people are actually seeing their opt-in numbers go down. In the industry, they're kind of whispering about that."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags marketingAlliance Datadata breachAWeber Communicationslegalindustry verticalsReturnPathinternetcybercrimeEpsilon InteractivesecuritySilverpop

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?