Epsilon: a watershed for an industry under siege

The attack on the e-mail service provider is part of a long-running campaign

Last week, consumers in the U.S. were bombarded with e-mail messages warning them of what may be the most widely felt data breach in U.S. history. A company that most of them had never heard of, Epsilon Interactive, had been compromised and their names and e-mail addresses had been stolen.

For a few days, it seemed that almost everyone was getting a warning message. The notes all struck the same tone: "Email files have been accessed without authorization," said one, sent to holders of the Dressbarn credit card. "You could receive some spam email messages. We sincerely apologize."

The breach left many victims uneasy, rather than outright scared. After all, these are stolen e-mail addresses, not Social Security numbers or bank account details. Brian Jacobs is a typical victim. An IT manager with the city of Rockport, Texas, he woke up on Monday, April 4 to a warning e-mail from his former employer, staffing firm Robert Half International, telling him that his e-mail address had been taken. With nothing more in the balance, Jacobs said he wasn't particularly worried, but he didn't feel good either. "When they said, 'They just got your e-mail address,' it's like, 'Well, that's what you're telling me today. Are you going to be telling me something else tomorrow?'" he said.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last week, consumers in the U.S. were bombarded with e-mail messages warning them of what may be the most widely felt data breach in U.S. history. A company that most of them had never heard of, Epsilon Interactive, had been compromised and their names and e-mail addresses had been stolen.

For a few days, it seemed that almost everyone was getting a warning message. The notes all struck the same tone: "Email files have been accessed without authorization," said one, sent to holders of the Dressbarn credit card. "You could receive some spam email messages. We sincerely apologize."

The breach left many victims uneasy, rather than outright scared. After all, these are stolen e-mail addresses, not Social Security numbers or bank account details. Brian Jacobs is a typical victim. An IT manager with the city of Rockport, Texas, he woke up on Monday, April 4 to a warning e-mail from his former employer, staffing firm Robert Half International, telling him that his e-mail address had been taken. With nothing more in the balance, Jacobs said he wasn't particularly worried, but he didn't feel good either. "When they said, 'They just got your e-mail address,' it's like, 'Well, that's what you're telling me today. Are you going to be telling me something else tomorrow?'" he said.

One thing that neither Epsilon nor its parent company, marketing giant Alliance Data, are discussing is the fact that the Epsilon breach is just the latest development in a long-running campaign to hack into the service companies that pump out the bulk of the nation's sales coupons, air miles account updates, and friendly reminders that make up legitimate marketing e-mail campaigns. There are hundreds of these companies out there, ranging from small mom-and-pop operations to large subsidiaries of publicly traded corporations like Epsilon. And over the past year, spammers have been trying to break into them with a vengeance.

"There has been a series of attacks on e-mail service providers that has been occurring since December 2009," said Neil Schwartzman, executive director with CAUCE (the Coalition Against Unsolicited Commercial Email), an anti-spam advocacy group. "About a dozen ESPs were hacked over the course of 2010."

That's particularly worrying because while Schwartzman and others say that many ESPs have been hacked, only four companies have admitted that they were compromised: Epsilon, Silverpop, AWeber Communications and ReturnPath, a company that sells services to ESPs.

With many of these attacks, the criminals target clients of the e-mail service provider. They take over their corporate accounts and then use them to send spam -- often fake Skype or Adobe reader updates that actually contain malicious software.

Schwartzman knows a lot about the problem. He is formerly senior director of security strategies with ReturnPath, which was hit by hackers late last year. ReturnPath isn't an ESP, but it sells deliverability services to more than 2,000 ESPs, including Epsilon. These deliverability services are extremely important to ESPs because they help them get their legitimate marketing e-mail through spam filters.

The IDG News Service is a Network World affiliate.