M&S Customer Details Exposed In Epsilon Breach

The fallout from the data breach reported earlier this week by Epsilon, a large email marketing services company based in the United States, is now said to be reaching the UK.

On 30 March, Epsilon apparently detected “an unauthorised entry” into its email system, and then days later, issued a public warning that data belonging users had potentially been exposed to hackers, after millions of email addresses were stolen.

It said that around 50 of the 2,500 companies Epsilon works for were affected by the hack. This includes customers of well known brands such as Hilton Hotels, Best Buy, and Barclaycard US.

Phishing Concerns

There is little doubt that the data breach is damaging, and it has been described as one of the largest internet security breaches in US history. This is because it could potentially impact anyone who has ever signed up to receive a retail offer or alert through their email account.

Epsilon has already warned that thieves may use the information to launch a phishing campaign to trick users into disclosing more critical data.

And now customers of one of the UK’s leading retailers, Marks & Spencer, has become the first UK chain to warn that customer details may have been compromised in the Epsilon breach.

M&S customers were warned late on Tuesday that their details may have been compromised.

In an email to customers seen by the Guardian newspaper, M&S said that it does “take your privacy very seriously” and added it would “continue to work diligently to protect your personal information.”

However it also warned customers to expect unsolicited spam emails.

M&S Statement

“Epsilon, our email marketing supplier, has informed us that a number of its clients’ customer files have been accessed without authorisation, including Marks & Spencer,” M&S told eWEEK Europe in an emailed statement.

“The compromised files were limited to names and email addresses – no other personal or financial information is at risk. We have contacted our customers to inform them on this incident,” it added.

“The information that was obtained was limited to email addresses and/or customer names only,” Epsilon said in a terse statement. “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

Spam Surge

“As we’ve noticed before, carelessness with email addresses isn’t a cardinal sin in the data leakage world – both TripAdvisor and Play.com have owned up recently to similar indiscretions, without any major loss of esteem,” wrote Paul Ducklin of Sophos.

“However, losing your email address to scammers and spammers is likely to mean a surge in spam to your account,” he warned. “Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely. That, in turn, can make their fraudulent correspondence seem more believable.”

It remains to be seen whether the data breach will trigger an investigation by the UK Information Commissioner’s Office.

While Epsilon is a US-based company, and the United States does not have the same data protection laws as the UK, when companies pass the details of UK citizens to foreign companies, they must ensure that the destination has a proper “safe harbour” arrangement to safeguard the data to European standards.