A data leak at the marketing firm Epsilon has exposed the email address of Disney, Ritz-Carlton Rewards and Marriott Rewards customers.
The leak was caused by an attack carried out by an unknown group of hackers who were somehow able to gain access to Epsilon’s list of customer names and emails.
While this may not sound serious, IT security experts at Sophos have warned the problem may be bigger than it appears.
In his blog, Paul Ducklin, Sophos’s Asia Pacific head of technology, said: “Apparently, only names and email addresses were spilled, which is moderately comforting.
“What isn’t so comforting is the knock-on effect of this data breach. Epsilon is, if you like, a cloud provider of electronic direct marketing services, so a security breach of the Epsilon system is, effectively, a breach of all its customers’ systems too.”
The leak also means customers whose email addresses were taken are at a greater risk of targeted spam emails. By looking at what company a stolen email address came from, spammers can begin to target phony emails to their victims.
Another problem is the sheer size of Epsilon. It is the world’s largest permission based email marketing provider. The company sends out over 40 billion emails annually and works with more than 2,500 clients. That means the true scope of the leak may not be known for some time.