More customers exposed as big data breach grows

NEW YORK Mon Apr 4, 2011 8:51am EDT

A man stands outside a Citi bank branch in New York August 13, 2009. REUTERS/Lucas Jackson

A man stands outside a Citi bank branch in New York August 13, 2009.

Credit: Reuters/Lucas Jackson

Related Topics

NEW YORK (Reuters) - The names and e-mails of customers of Citigroup Inc and other large U.S. companies, as well as College Board students, were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.

In what could be one of the biggest such breaches in U.S. history, a diverse swath of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.

Drugstore Walgreen, Video recorder TiVo Inc, credit card lender Capital One Financial Corp and teleshopping company HSN Inc all added their names to a list of targets that also includes some of the nation's largest banks.

The names and electronic contacts of some students affiliated with the U.S.-based College Board -- which represents some 5,900 colleges, universities and schools -- were also potentially compromised.

No personal financial information such as credit cards or social security numbers appeared to be exposed, according to the company statements and e-mails to customers.

Epsilon, an online marketing unit of Alliance Data Systems Corp, said on Friday that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion e-mail ads and offers annually, usually to people who register for a company's website or who give their e-mail addresses while shopping.

"We learned from our e-mail provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals," HSN, also an e-commerce operator, said in an e-mail to customers on Sunday.

"This information included your name and e-mail address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."

Citigroup customer names and some credit card customers' e-mail addresses -- but no account information -- were part of the data breach, the third-largest U.S. bank said on Saturday.

The College Board, which administers the SAT admissions tests, on Saturday warned students about the breach and asked them to be cautious about receiving "links or attachments from unknown third parties," according to two e-mails reviewed by Reuters.

The not-for-profit organization is in contact with more than 7 million students, according to its website. It did not immediately return calls for comment.


Law enforcement authorities are investigating the breach, though it was unclear on Sunday how many customers or students had been exposed. Epsilon is also looking into what went wrong.

"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."

Capital One, which also runs a bank, and Walgreens, the largest U.S. drugstore, said the Epsilon hacker accessed its customer e-mail addresses, but no personally identifiable information.

TiVo, a maker of digital video recorders, said the information that was obtained was limited to e-mail addresses and clients' first names.

The incident comes three years after hackers penetrated Heartland Payment Systems, a credit and debit card processor, in one of the biggest identity-theft cases in U.S. history.

In that case, notorious hacker Albert Gonzalez led a ring that stole more than 40 million payment card numbers, and was later sentenced to 20 years in prison.

On Friday, JPMorgan Chase & Co, the second-largest U.S. bank, and Kroger Co, the biggest U.S. supermarket operator, said that some customers were exposed as part of the Epsilon data breach.

Citigroup announced that it had been affected on Saturday evening. Spokesman Sean Kevelighan said the bank started informing its customers of the breach on Friday through a link on its website.

Some of Epsilon's other clients include Verizon Communications Inc, Blackstone Group LP's Hilton Hotels, Kraft Foods Inc, and AstraZeneca.

(Reporting by Jonathan Spicer and Maria Aspan, editing by Maureen Bavdek, Diane Craft and Gunna Dickson.)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (16)
mikemm wrote:
Banks are always the worst when it comes to downplaying these kinds of breaches to protect their bottom line. There’s a good chance some financial info was also breached. It might be just the last digits of your card and transactions or it could be a lot more. Check you credit statements for any suspicious activity. If you find any, they will no doubt claim it as an isolated event not connected with this breach.

This selling of data from one company to several others for profit puts us all at risk with not much if any accountability. The only real difference between and hack and just buying the information is just a technicallity dealing with identifying the initial buyer and the legal exchange of money. I don’t see that as a very big difference in the protection of privacy or misuse of the information.

Apr 04, 2011 9:04am EDT  --  Report as abuse
Majick1 wrote:
Gee, a professional SPAMMER was hacked so now we get an extra helping. One would think the Spam-pros would be more careful.

Apr 04, 2011 9:08am EDT  --  Report as abuse
The_Traveler wrote:
“The more complicated the plumbing, the easier it is so stop up the pipes.” Mr. Scott, The Search for Spock.

Apr 04, 2011 9:57am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.