Massive Data Breach Hits MN Banks and Retailers

E-mail marketing vendor Epsilon on Friday informed its customers-which range from retailers like Best Buy to financial institutions like U.S. Bank-that someone gained unauthorized access to its database of e-mail addresses.

A marketing vendor that sends customer e-mails for thousands of companies across the United States recently reported that its computer systems were hacked and that its database of e-mail addresses was illegally accessed.

The list of companies whose customers' e-mail addresses were obtained includes Minneapolis-based Target Corporation; Richfield-based Best Buy Company, Inc.; Minneapolis-based U.S. Bancorp; and Minneapolis-based Ameriprise Financial, Inc.-all of which informed their customers of the data breach. Robert Half International, a California-based firm with significant operations in Minnesota, was also affected.

The companies all use Irving, Texas-based e-mail marketing vendor Epsilon, which on Friday notified its clients of the incident. On Epsilon's Web site, the company bills itself as “the world's largest permission-based e-mail marketing provider.” It works with more than 2,500 clients and sends more than 40 billion e-mails each year.

Epsilon said in a statement that only e-mail addresses and customer names were obtained. “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk,” the company said.

Epsilon spokeswoman Jessica Simon on Monday declined to comment on the breach, saying only that the company is “conducting a full investigation and cooperating with authorities.”

Best Buy on Sunday said that the breach took place on March 30. The company said in a statement that “an unauthorized party outside Epsilon gained access to files that included e-mail addresses of some Best Buy customers in the United States.” Best Buy said that it too is investigating the incident, and the company encourages customers to ignore suspicious e-mails that request confidential information.

Best Buy spokeswoman Susan Busch on Monday said that Epsilon didn't indicate in its initial communication the scope of the breach. She said that Best Buy's own investigation is underway, but she declined to comment on the number of customers affected.

In an e-mail sent to U.S. customers, Best Buy Chief Marketing Officer Barry Judge wrote the following: “In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site,”

“We regret this has taken place and for any inconvenience this may have caused you,” Judge wrote. “We take your privacy very seriously, and we will continue to work diligently to protect your personal information.”

Target spokeswoman Erika Svingen on Tuesday confirmed that e-mail addresses used for the company's promotions and marketing were exposed. The company said that it notified its customers who may have been affected.

“Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information,” Svingen wrote in an e-mailed statement.

U.S. Bank sent a notification to its customers over the weekend. “We want to assure you that U.S. Bank has never provided Epsilon with financial information about you,” the company assured its customers. “For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious e-mails.”

Ameriprise's statement echoed the same thing: “Epsilon sends marketing and service e-mails on our behalf, but does not have access to sensitive client data such as social security numbers,” the company wrote on its Web site. “Ameriprise will never ask for personal or account information through e-mail.”

Reports by the Associated Press indicate that many other Epsilon customers from across the United States had their customers' files illegally accessed by the same hacker. Those companies include TiVo, Inc.; Walgreen Company; and JPMorgan Chase & Company; among many others.