Insider Threat Management

Throwback Hack: The Epsilon Email Breach of 2011

Throwback Hack: The Epsilon Email Breach of 2011

(Updated on 10/29/2020)

Is your spam folder full? If so, it could be related to a massive data breach that occurred back in April of 2011. If you recall, Epsilon—the world’s largest permission-based email marketing company—suffered a major breach, where the names and addresses of 60 million users were stolen.

At the time, it was called one of the largest breaches in history. Although that’s no longer the case, there are some important lessons we can learn from this incident. Before we get to that, here are the details of the breach (scoured from various sources):

  • The breach occurred as a result of an “unauthorized entry” into Epsilon’s email system
  • The hackers got away with the emails and names of around 2% of their clients (estimated)
  • Companies like Walgreens, BestBuy, CitiGroup, JPMorgan, Capital One and others were all affected indirectly, as they were clients of Epsilon
  • It was determined that no personally identifiable information (PII) was obtained in the breach, but the emails they obtained could be used for spam and phishing attacks

A lot has changed in the four years since this breach occurred, but much has stayed the same. Here are a few notable examples:

Motivation for Hackers: Like most breaches today, the Epsilon hackers weren’t looking to hit the jackpot with their breach–—at least not initially. Instead, they were simply looking to get a foot in the proverbial door. In this case, that foot was obtaining email addresses. From there, they could employ social engineering tactics, malware, fake company emails and other methods for getting consumers to unwittingly hand over their credit card numbers and other PII.

These tactics are still just as effective today because they rely on the weakness of a company’s greatest vulnerability, their employees. 

Response Time: One of the interesting things about the Epsilon breach is that it affected the customers of 75 of their clients. Epsilon notified their clients and it was left up to the companies to notify individual customers. This resulted in staggered response times as the 75 companies all responded to the hack in different ways and at different speeds.

According to Verizon, who waited about a week to notify customers, “We wanted to make sure we had the most detailed information possible from Epsilon. With such a sensitive topic as personal information security, we wanted to get the information exactly right.”

The issue of response time is still being dealt with today. Some companies have earned points by being upfront and honest with their clients as soon as possible, while others have been less forthcoming and have paid the price in public relations. 

Discovery: Initially, the email breach was believed to only affect Kroger, a national grocery retailer and Epsilon client. It wasn’t until Epsilon and other clients began investigating the breach did they discover the full extent. When information is coming in a slow leak like this it can be difficult for the breached company to create a quick and comprehensive disclosure to their clients. More importantly, it can limit their ability to close up the vulnerability and secure their systems. Still today, companies can spend weeks or months investigating a breach before they are able to gain a full picture of how their system was breach and what specifically was taken.

The 2011 Epsilon data breach was the largest data breach in history at the time. Unfortunately, many of the lessons we can learn from that breach are still issues that the IT security industry faces today. As companies and government agencies work this year to secure their systems from hackers and insider threats, it’s more important than ever to look back on old hacks to see what other lessons we’ve missed.

Any other throwback hacks you’d like us to cover? Let us know in the comments!

Subscribe to the Proofpoint Blog