HK, mainland firms exposed to hackers in Epsilon data breach

PUBLISHED : Tuesday, 05 April, 2011, 12:00am
UPDATED : Tuesday, 05 April, 2011, 12:00am


A massive data breach at Epsilon, the world's largest e-mail marketing services provider, appears to have compromised the names and online addresses of customers of many large companies in Hong Kong and on the mainland.

The hacking incident was reported by United States-based Epsilon on Friday, when the firm said that 'clients' customer data were exposed by an unauthorised entry' into its e-mail system. Epsilon, which has about 2,500 corporate customers worldwide and sends more than 40 billion e-mails annually, has had operations in China for 10 years, with offices in Hong Kong, Guangzhou, Shanghai and Beijing.

Security experts said the stolen data, which could amount to millions of names and e-mail addresses, are expected to be used by criminal elements for phishing scams, spam e-mail and other cyber attacks.

Epsilon spokeswoman Jessica Simon would not confirm whether the client databases of all of its corporate customers were exposed to hackers. 'Due to the investigation and as we co-operate with authorities, I'm unable to give you any further detail regarding the impacted/non-impacted clients,' Simon said.

Multinational financial services providers Citigroup and JP Morgan Chase, professional consulting group McKinsey & Co, US drugstore chain giant Walgreens, the Home Shopping Network, supermarket chain Kroger, hotel loyalty membership enterprise Marriott Rewards, and Disney Destination, the Walt Disney Co's travel services unit, are among a growing list of large US companies that have informed their customers of the security breach at Epsilon. But so far affected companies in Hong Kong have yet to pass on the information to their customers.

According to a spokeswoman at Hong Kong's Office of the Privacy Commissioner for Personal Data, companies in the city 'have no legal obligation to report a data breach'.

Rik Kirkland, senior managing editor at McKinsey, said in an electronic message sent to a Hong Kong subscriber of the McKinsey Quarterly: 'We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information.'

Technology consultant Chet Wisniewski, of international security software supplier Sophos, said cyber attacks on e-mail marketing firms like Epsilon steal data 'to build upon the pre-existing relationship between these companies and their customers'.

'To pretend to be Kroger or McKinsey gives them a far greater chance of convincing their victim that they are legitimate,' Wisniewski said. 'Phishing attacks using this information are likely to be far more effective than blind spamming.'

Security scare

Epsilon has about 2,500 corporate customers worldwide and sends more than this many e-mails every year: 40b