Mothercare Emails Exposed By Epsilon Hack
After Marks & Spencer, Mothercare became the second big British retailer hit by Epsilon
A second British retailer, Mothercare, has warned its customers that their details have been exposed to hackers, following the Epsilon data breach late last week.
Epsilon is a large email marketing services company in the United States and, on 30 March, the company said it had detected “an unauthorised entry” into its email system. Days later it issued a terse public warning that names and email addresses belonging to thousands of users who had registered for any retail scheme, had potentially been exposed to hackers.
Earlier this week Marks and Spencer became the first British retailer to publicly admit that its customer details had also been exposed.
Mothercare Admission
And now Mothercare has also admitted that its customer names and emails are likely in the hands of hackers and spammers. The hack is also know to have exposed customers of other well known brands including Hilton Hotels, Best Buy, and Barclaycard US.
“We have been informed by Epsilon, a company we use to send emails to our customers, that some Mothercare customer email addresses have been accessed without authorisation,” Mothercare reportedly told its customers via email.
“We are among several companies affected by this data breach. Epsilon stressed that the only information accessed was names and email addresses; they confirmed that no other personal information, such as your account details, has been affected or is at risk.”
“We apologise for any inconvenience this may cause you. We take your privacy very seriously and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorised access.”
Mothercare was less forthcoming however when eWEEK Europe contacted the company for a statement.
“Unfortunately Mothercare have no further comment on this. Please direct all questions directly to Epsilon,” Mothercare said.
No Credit Card Info
Thankfully Epsilon’s parent company (Alliance Data Systems Corp) has been more open and issued an updated statement on the damaging data breach.
“Alliance today reaffirmed Epsilon’s previous statement that the unauthorised entry into an Epsilon email system was limited to email addresses and/or customer names only,” the company said. “No personal identifiable information (PII) was compromised, such as social security numbers, credit card numbers or account information.”
“Epsilon is working with authorities and external experts to conduct a full investigation to identify those responsible for the incident while also implementing additional security protocols in its email operations,” it added.
“Late last week, Epsilon detected that customer information of a subset of Epsilon’s email clients had been exposed by an unauthorised entry into its email system. The affected clients represent approximately 2 percent of Epsilon’s total client base. Since the discovery of the unauthorised entry, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised,” it said.
“We are extremely regretful that this incident has impacted a portion of Epsilon’s clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information,” said Bryan J. Kennedy, president of Epsilon. “We apologise for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers’ confidence.”
Epsilon said it is working with Federal authorities, as well as other outside forensics experts, to investigate this matter and to ensure the immediate implementation of “additional safeguards.”
There has been a spate of high profile data breaches of late, including the likes of TripAdvisor and Play.com. It remains to be seen however whether this latest data breach will trigger an investigation by the UK Information Commissioner’s Office.