Article: Who Cares About Your Email Address?

by on April 4, 2011

Last Thursday, the database of Epsilon, an Internet marketing company, was compromised and someone outside of the company gained access to email addresses and customer names. While you may not have heard of Epsilon, you may have heard of its customers, including Walgreens, Kroger, JPMorgan Chase, Citi, Capital One, TiVo, Best Buy, and countless others. The company handles email marketing, for over 2500 clients, which means millions of email addresses. Unfortunately, because of this breach, it seems the most customers will get right now is an “oops” email from the particular companies.

While there isn’t much your favorite bank or retailer can do, this really shows the major flaw with email marketing—nobody cares about the customer. While this is pretty expected, people would be up in arms if phone numbers, street addresses, or heaven forbid, social security numbers got loose. Email addresses though? Eh, it happens. They must not be that important.

More importantly, have we gotten so complacent about junk mail that we don’t care if someone is careless with one of our digital identities?

Below is an email that was sent to Best Buy RewardZone members, but it is very similar to ones sent by other companies. The only major difference is that Best Buy chose to make this an ad for Geek Squad:

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:


Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy

Best Buy’s was only an example. If anything they offered a bit more than some of the other versions of this email I received, but I can only fault the companies who outsourced my data to an extent. If they need someone else to manage the infrastructure, that’s fine. The problem I have is that that company had an issue and the general response seems to be “oh well” — I know an investigation is taking place, and sometimes things take time, but this isn’t the first time such a thing occurred:

The incident comes three years after hackers penetrated Heartland Payment Systems, a credit and debit card processor, in one of the biggest identity-theft cases in U.S. history.

In that case, notorious hacker Albert Gonzalez led a ring that stole more than 40 million payment card numbers, and was later sentenced to 20 years in prison.

At least we know it wasn’t him this time…

In the grand scheme of things, people aren’t going to be at-risk, since in most cases, only first names and email addresses were taken:

This all sounds fairly terrifying. But the worst that may come of it is a sneakier and more sinister version of spam, security experts say.

Since the hacker, according to Epsilon, lifted only e-mail addresses and names, there’s little fear that identities could be stolen and bank accounts drained because of the huge leak of information.

What security experts do worry about, however, is a malicious form of spam called “targeted phishing” or “spear phishing.” These terms refer to fake e-mails that try to look real because the scammer knows something about you.

Say you had signed up to receive marketing e-mails from Kroger, which is a major U.S. grocery store chain. If your e-mail address and name were stolen as part of the recent security breach, a scammer, knowing you sometimes get e-mails from Kroger and probably wouldn’t be suspicious of them, could design a fake e-mail that looks like it came from Kroger. Such an e-mail might ask you for sensitive information, like a Social Security number or bank account number.

Still, I think last week’s breach should force companies and regulators to wake up. Although I have “throw-away” email addresses for signing up for things (like many of our readers, I assume), most people don’t. Sure, junk mail isn’t that big of a deal, and if you do have a few brain cells, you’ll know not to give out a social security number of bank account number to a random email, but that isn’t the point. In an age of do-not-call lists, and do-not-track browsing, shouldn’t we hold people more accountable with our email addresses?

Also, Macworld’s Chris Breen cares and offers a number of tips for those who may be affected.

This post has been filed in Articles