The data breach included some email addresses of JPMorgan Chase customers and names and email addresses of Kroger customers, the companies said in separate statements on Friday.
Epsilon, a unit of Alliance Data Systems Corp (ADS.N), said on Friday that a person outside the company hacked into some of its clients' customer files.
The vendor sends over 40 billion email ads and offers annually, usually to people who register for a company's website and or give their email addresses while shopping. Some of Epsilon's other clients include Verizon (VZ.N), Blackstone Group LP's (BX.N) Hilton Hotels, Kraft KFT.N, and AstraZeneca (AZN.L).
Kroger, the biggest U.S. supermarket operator, said it told customers on Friday that the database storing their names and email addresses had been breached. No other personal information was exposed in the breach, Kroger said.
JPMorgan Chase, the second-largest U.S. bank, said some of its customers' e-mail addresses were part of the data breach.
Epsilon told the bank that the accessed files did not include any customers' financial information, but JPMorgan Chase is "actively investigating to confirm this," the bank said in a statement.
The vendor said separately that "a full investigation is under way." The data breach exposed only customer names and e-mail addresses, and Epsilon said that "no other personal identifiable information associated with those names was at risk."
Spokeswoman Jessica Simon declined to identify which other Epsilon clients were affected by the data breach. The vendor is "cooperating with a number of authorities now, so I don't know how long it (the investigation) will take," she said.
Reporting by Brenton Cordeiro in Bangalore and Maria Aspan in New York; Editing by Joyjeet Das; Editing by Gary Hill and Richard Chang