Epsilon Bingo

By now, everyone has probably read about a company named Epsilon. In
fact, most people likely have second hand involvement, receiving one
or more emails from companies you do business with warning you to be
very careful after a recent incident. Most of these companies have
used a similar form letter explaining the concerns and that you should
be "cautious of phishing e-mails, where the sender tries to trick the
recipient into disclosing confidential or personal information." These
notifications stem from Epsilon, a managed e-mail broadcasting
company, getting compromised and having all of their customer e-mail
addresses copied.

We have received a few emails from people asking us how we could have
missed the Epsilon breach and why it isn't on our site. Well, it
actually is on the site as we do follow incidents such as this,
however, it is listed as a Fringe incident. Why “Fringe”? From what we
can tell so far, the breach (while unacceptable) is contained to Names
and Email Addresses. We do recognize that this information may
increase the risk to customers as targeted spearphishing attempts may
be more successful, however, there is no loss of PII. We have debated
this topic for years and instead of not including them in DataLossDB,
they are now just labeled Fringe. There will be more debate on the
severity of this incident for sure. Some think it is critical and
others merely say that their email address was never meant to be
private anyways. There are good arguments supporting both sides of the
debate.

When Epsilon posted the notice on their site they mentioned: "On March
30th, an incident was detected where a subset of Epsilon clients'
customer data were exposed by an unauthorized entry into Epsilon's
email system."

As on April 4th, they have now have updated the definition of “subset”
to mean "The affected clients are approximately 2 percent of total
clients and are a subset of clients for which Epsilon provides email
services."

As of today, we are aware of a little over 40 companies affected and
more notices are pouring in from users. As to how many users are
impacted that is anyone’s guess. Our guess is A LOT.

If you want to read some of the notices we have received, over a dozen
are on our mailing lists archives:
http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html

For those that want to play along, we have decided to make some
Epsilon Bingo Cards. If you are able to fill up a whole card and prove
it with the notices we might have to give you a prize... that is the
least we could do, right?

As always, please keep sending us any notices that we are missing so
that we may better gauge the scope of this incident and update the
cards.