The List of Companies Affected by the Epsilon Breach Grows and Grows and Grows

Best Buy. J.P. Morgan Chase. Citibank. Walgreens. Disney. Barclay’s Bank. U.S. Bancorp. Marriott. Ritz Carlton. L.L. Bean. Home Shopping Network. TiVo.

If you’ve ever given your email address to any of the companies named above, then you’re probably among those who received a warning message today saying that your name and email address had been compromised as the result of an attack by an unknown party on the database of Epsilon, an email marketing firm owned by Alliance Data Systems.

As I write this, I’m continuing to hear from people I know who are feeding me live updates on the companies, all of them apparently Epsilon clients, who are notifying their customers that their information has been taken. As of noon PT, people I know are saying they’ve received notifications from Hilton Hotels and Ethan Allen.

The breach looks to be very similar to one seen late last year at Silverpop Systems. That one ensnared outfits as varied as deviantart, the Web image-sharing community; the drug store chain Walgreen’s; and the automaker Honda. This one, however, looks much bigger in terms of the number of customers affected.

Shares in Alliance Data Systems, which is primarily known as a credit card payment processor that also manages loyalty programs for airlines, were off slightly in afternoon trading. The company reported $2.8 billion in sales in 2010, and according to its most recent 10-K filing, Epsilon accounts for 22 percent of that, which works out to a little less than $614 million.

There are more companies named as Epsilon customers in the 10-K. Last year, the company signed a deal with New York and Company, the apparel retailers, to provide what it describes as a “comprehensive database marketing solutions.” It signed a similar deal with Dell to provide a “strategic email marketing program.” The list goes on: Kraft Foods, hotelier La Quinta, Chico’s, AARP, Unilever, AAA of Northern California, Nevada and Utah. Its Web site lists even more.

It’s not yet clear exactly how many people’s data has been compromised, but given that only email addresses and names were taken, then the next shoe to drop is a series of attempts by the attackers to capitalize on it. What’s expected is a barrage of “spearphishing” attacks, which are similar to phishing attacks in that they involve emails that try to entice you to click on links that aren’t actually what they appear to be.

Whereas phishing attacks are lobbed out at random, spearphishing is a little more precisely aimed. Now that the attackers know the names and addresses of customers of certain banks and retailers and other companies, they may try to send these people messages that appear to come from these companies in order to convince them to click on links that at first look innocuous but aren’t. The range of things these attackers may attempt to do is rather wide. They might try to install evil software on your machine and turn it into a zombie that serves yet more spam to other people, or they may try to trick you into giving them access to your bank account.

Some years ago I very nearly fell for something like this. I got an email from my bank that had my name on it, had the correct last few digits of my account number, and a few other details that all looked right to me. It looked just like the emails I would get occasionally from that bank. It said there was a problem with a charge I had made on my debit card.

The message contained a link in the email and I very nearly clicked it. But at the last second, my better judgment kicked in and I decided instead to pick up the phone and call my bank. I found out it was a rather sophisticated attempt to do something evil, and I nearly fell for it. If you get any emails from any of these companies in the coming days that contain links or odd-looking attachments, you’re probably better off doing nothing and calling the company in question to double check that the message is legit, especially if the message is from a bank or other financial institution. The best advice I can give you in a case like this is to simply be on your guard.