Epsilon Data Breach, "Our Data Went Where?"

posted Apr 12, 2011, 11:35 AM by Michael Hoffman
I have received numerous calls and emails from friends about the recent data breach - and while Epsilon and their major name brand clients affected would like to 'make this go away,' and refer to this as only an e-mail list breach - it is much, much bigger and only a symptom of customer data vulnerabilities. 

Real Chase Customer Alert e-mail... Or is it? (Forwarded from real customer) 

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you. 

We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase's practice to request personal information by e-mail. 

As a reminder, we recommend that you:
  • Don't give your Chase OnlineSM User ID or password in e-mail.
  • Don't respond to e-mails that require you to enter personal information directly into the e-mail.
  • Don't respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
  • Don't reply to e-mails asking you to send personal information.
  • Don't use your e-mail address as a login ID or password.
The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on "Fraud Information" under the "How to Report Fraud." It provides additional information on exercising caution when reading e-mails that appear to be sent by us. 


Patricia O. Baker 

Senior Vice President 

Chase Executive Office

If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by advanced technology. For more detailed security information, view our 
Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
© 2011 JPMorgan Chase & Co.

There is no way of knowing whether this email came from Chase or whether it is another step in a massive phishing scheme. Wouldn't the customer data and email hackers also have an account with Chase so they could spoof whatever email follow-up Chase initiated? 


Yes - the service recovery email or notice from Chase could have been much, much better but obviously Chase and Epsilon and the 50+ major brands affected want to keep the costs down, limit exposure and limit customer alarm. But be alarmed!

The government is stepping in  and must step in to protect customers and frankly companies like the brands tarnished by the breach. Readers of Customer Worthy (book) can calculate the estimated cost to customers for this breach - which far outweighs the cost to Epsilon or the individual companies involved. See the Customerpayback section of book. 

These types of breaches are more common than companies want to admit - and are happening at consolidated company data points - TJX data breach - was more severe, yes, and scary and Heartland's data compromise reached epic proportions . And Epsilon is not just an 'email provider' but part of the  enormous credit card company Alliance Data.

Surprise - If you are reading this in North America, and you have a credit card or a debit card, your data has most likely been compromised in at least one, if not all three of these major data breaches - read Dark Reading regularly to feed well justified personal data violation paranoia. 

I can imagine the hundreds of bank relationship managers at Citi, Chase and others bombarded with customer phone calls, visits and yes - emails with concerns and questions, confirmations and account closings. Disney, Best Buy and a who's who of brands were affected - the cost of trust and goodwill lost is immeasurable - (OK, use the CxC Matrix - everything is measurable) 

The excerpt below is meant to be a wake up call to companies and consumers regarding data privacy, storage, disaster recovery and data handling:

Customer Worthy Excerpt, by Michael R Hoffman

Chapter 12 : Matrix Benefits and Use by Function and Department pg 163 under Legal Department Benefits 

Our data went where?

Data breeches will continue to grow as more information and transactions
are digitized. As a result, personal and confidential information provided
by customers will be continually at risk. Additionally, company information
stores and data networks will continue to be pirated, poached, and hijacked,
requiring companies to insist on additional third party customer authenticity
validation and authorization among payment systems and partners.

Customer backlash is a likely result of the increased exposure of confidential
data. Legal or governmental representatives may demand specific
disclosures regarding how, why, when, where, and for what purpose customer
information was stored, accessed, and modeled by companies other than
the business customers believed they were dealing with directly. Transparency
is ripe for continued scrutiny, whether to data vendors, credit bureaus,
transaction processors, data exchange, integration companies, subsidiaries,
or lines of business.

It is likely that companies will face not only growing legal and financial
liability for misuse, mishandling, and negligence related to customer data,
but also for not using customer data when that information could benefit
the customer, as in the “Mad Cow” case reported in the Washington Post (July
6, 2004). Although some customers are troubled by the privacy implications
of data capture, many assume that their information will be used to their
benefit. Customers are likely to also assume that they should have access to
their personal information in the company’s context. They will want to see
who had access to their information and how their information was used to
conduct business. If these assumptions are not met, a negative customer
experience could result.

In the “Mad Cow” case mentioned above, a female customer had purchased
ground beef from a local market, using her customer loyalty card,
which recorded every item she bought.

She used the beef to cook a holiday dinner and only a couple of weeks
later learned from a newspaper article that 10,000 pounds of beef potentially
164 customer worthy tainted by mad-cow disease (MCD) had been recalled from stores in Western
states, including hers. She read about another customer whose purchase had
been recalled after he demanded that the store check his customer loyalty
card to determine if the meat he had purchased was part of the recall.

The female customer then asked that her card be checked to verify the
safety of the meat she fed to her family. However, the store made her make
the request in writing and come to the store’s office for the records. She
eventually learned that the meat she had fed her family was part of the
recall. The result was a lawsuit against the store, claiming that it had the
ability to alert her to the recall and did not do so.

Legal CxC Matrix deliverables

  • Visualize: Customer contacts and implied liability by life stage, channel, product, market, and region
  • Analyze: Exposure, remedy scenarios, risk insurance coverage, partner/vendor liability
  • Monetize: Cost to notify affected customers, scope of various legal scenarios, cost of compliance and governance, exposure and risk related to data handling
  • Prioritize: Communications points, highest risk business areas, documentation, communication guidelines and procedures.
  • Optimize: Issue discovery and escalation, insurance protection, risk prevention
Comments? Questions? contact Michael R Hoffman, 908.350.3012