CBS News Investigates

Secret Service investigates Epsilon data breach

By Laura Strickler

April 6, 2011 / 11:44 AM EDT / CBS News

By Laura Strickler and Aurora Ellis

Companies like Best Buy, Capital One, JP Morgan Chase and TiVo have been notifying customers of a large data breach where names and email addresses have been hacked. CBS News has confirmed at least 20 companies including Kroger, Hilton Honors, Home Shopping Network and Marriott Rewards were impacted.

What do these companies all have in common?

They all pay the email marketing company Epsilon, based in Dallas, to email their customers on their behalf. Epsilon says it sent 40 billion emails last year to customers and handles the email marketing for 2,500 companies. The company says their clients operate "primarily in the financial services, specialty retail, hospitality and pharmaceutical end-markets."

Experts say the good news is this was not credit card data or Social Security numbers. But Mike Lennon, a reporter at Security Week, says the threat he sees is that this data will give scammers what they need to "personalize the attacks."

For example, scammers could build trust by sending a personally addressed email that looks like it comes from an official email address from Marriott or Hilton saying, "Congratulations, you just won a free hotel room...click here to log in to your frequent customer account." Once a customer logs in then scammers have access to more information.

"When you get that kind of bogus email about 4 percent of the people will open it and 1 percent will actually fill it out. So out of 1 million people, one thousand people will fill out a form," says James Lewis, Senior Fellow at the Center for Strategic and International Studies adding, "This happens more often then we know, so Epsilon is not that unusual, what you have is a thriving black market in this kind of information."

Epsilon says the breach happened on March 30th and the company put out a press release two days later. CBS News has confirmed that the U.S. Secret Service is investigating. The public can notify the Department of Homeland Security of email "phishing" scams by emailing: phishing-report@us.cert.gov

The companies impacted include: Ameriprise Financial. Best Buy, Brookstone, Capital One, Citi, Home Shopping Network, JP Morgan Chase, New York & Co., Kroger, Ritz-Carlton Rewards, LL Bean Visa Card, Hilton Honors, Marriott Rewards, Disney Destinations, US Bank, TiVo, McKinsey Quarterly, Walgreens, Ethan Allen and The College Board.

Tips on how to to avoid scams from DHS: http://www.us-cert.gov/reading_room/emailscams_0905.pdf

More from CBS News