Data Breach Results in Email Marketing Spam

Posted 1.11.12 by

Just before the New Year, I received a strange email that appeared to be sent from the New York Times regarding my account. But the email referenced renewing my home delivery subscription, which I don’t have – I only have an online subscription. A few days later, I received another email apologizing and acknowledging it had been sent in error.

NYTimes Spam Email

NYTimes Spam Email

But more research reveals that many users received the same email and an earlier statement from the New York Times reported the emails were a result of spam, although they did not directly name the source, according to Gigaom.com. Search Security and the Wall Street Journal reported on a data breach that affected several companies, including J.P. Morgan Chase & Co. and TiVo back in April of last year.

The one common factor between the two separate incidents? All of these companies employ third-party email marketing campaign management by Epsilon Data Management LLC, a division of Alliance Data Systems Corp.

In April, Epsilon reported hackers had breached its system security and accessed names and email addresses, including personal information of more than 40 companies (Search Security reports 150 companies, including major banks, retailers and other firms). The company uses customer information to send targeted email promotions to customers of many ecommerce organizations, including Target, Best Buy, the Home Shopping Network and more.

Gigaom.com’s further research shows that the message was sent by bfio.com, a mail server registered to Epsilon Data Management.

Although no credit cardholder data or bank account numbers were accessed, this is a great concern of many of Epsilon’s clients, considering the financial and ecommerce nature of their industries. While spam emails were the only consequence of this instance, similar data breaches in which more sensitive information is accessed can result in a major PCI or HIPAA violation, and significant financial losses.

Read more about Who Needs to be PCI Compliant? and Who Needs to be HIPAA Compliant? if you’re not sure whether or not your company needs to meet national security standards.

Breach Brings Scrutiny
Massive Epsilon Email Breach Could Lead to Email Attacks, Spam
Update: New York Times Email List Spammed – By the New York Times

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!