(2011/04/14 更新)

今月4/1、USの大手マーケティングサービス会社 Epsilonが、E-mailシステムに外部から侵入されて、顧客企業の情報が漏洩したと発表した。*1
残念ながらエイプリルフールではなかった。その後、4/4に情報が更新され、全顧客数(約2,500社)のうちおよそ2%の顧客企業に影響があったことを明らかにした。約50社にのぼるが、それらはいずれも名だたる大手企業ばかり。正確な数字ははっきりしないが、数百万人のメールアドレス情報が流出したと見られている。

Epsilonによるプレスリリースの内容はこちら。

IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset* of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

For Consumer Inquiries in the US and Canada, please call 866-595-4896 or email sbranam@epsilon.com)

For Media Inquiries please contact Jessica Simon (212-457-7135, jsimon@epsilon.com)

Updated April 4, 2011: The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services.

databreaches.netの記事によると、影響があった顧客は次のとおり。58社がリストアップされている。

1-800-FLOWERS
AbeBooks
AIR MILES Reward Program (Canada)
Ameriprise
Ann Taylor (reported by a recipient but I haven’t seen any copy of it yet)
Barclays Bank of Delaware ( Barclay’s L.L. Bean Visa card)
Beachbody
bebe
Best Buy
Best Buy Canada Reward Zone
Benefit Cosmetics (see below)
Borders (see Comments under this post, but note that Borders denied this to Brian Krebs, so until I see a copy, I consider this one as in question)
Brookstone
Capital One
Charter Communications
Citi (including Citi NTB Card, Citi Home Depot Card)
City Market
College Board
Dell Australia
Dillons
Disney Destinations (The Walt Disney Travel Company)
Eddie Bauer Friends (copy forwarded to DataBreaches.net by recipient)
Eileen Fisher (doesn’t name Epsilon but same template letter)
Ethan Allen
Eurosport Soccer (Soccer.com)
Food 4 Less
Fred Meyer
Fry’s
Hilton Honors
Home Shopping Network (HSN)
Jay C
JPMorgan Chase
King Soopers
Kroger
Lacoste (as per TG Daily)
Marriott Rewards
Marks & Spencer (copy sent to DataBreaches.net)
McKinsey Quarterly
MoneyGram
New York & Company
QFC
Ralphs
Red Roof Inn
Ritz-Carlton Rewards
Robert Half International
Scottrade
Smith Brands
Target (via KrebsonSecurity.com and a site reader who’s getting tired of receiving notices this week)
TD Ameritrade
TIAA-CREF
TiVo
TripAdvisor.com (copy sent to DataBreaches.net by a recipient)
US Bank
Verizon
Viking River Cruises (copy sent to DataBreaches.net)
Visa (Barclays Bank of Delaware/L.L. Bean Visa, BJ’s Visa
Walgreens
World Financial Network National Bank (Victoria’s Secret card, Express card, Catherine’s)

ちなみにこのうちの1つ Krogerには、私も昨年US滞在中にお世話になった。品揃えが豊富で価格も安い大手スーパーマーケットだ。で当然のように私も顧客としてメールアドレスを登録していたので、4/2に Krogerからお詫びのメールが届いた。その内容はこんな感じ。ま、要するにスパムメールが来るかもしれないから、気をつけてね！ってことだね。(^^;

Dear Valued Customer,

Kroger wants you to know that the data base with our customers' names and email addresses has been breached
by someone outside of the company. This data base contains the names and email addresses of customers who
voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information
that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages.
We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never
ask you to email personal information such as credit card numbers or social security numbers. If you receive
such a request, it did not come from Kroger and should be deleted.

If you have concerns, you are welcome to call Kroger’s customer service center at 1-800-Krogers (1-800-576-4377).

Sincerely,
The Kroger Family of Stores

(2011/04/14 追記)
実は Epsilonはパートナー企業の Return Pathから、昨年11月に ESP (Email Service Provider)を標的としたフィッシング攻撃が発生していると警告を受けていたそうだ。
http://www.itnews.com.au/News/253712,epsilon-breach-used-four-month-old-attack.aspx
http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-aimed-at-esps/

(関連記事)
http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
http://nakedsecurity.sophos.com/2011/04/04/epsilon-email-address-megaleak-hands-customers-customers-to-spammers/
http://www.databreaches.net/?p=17374
http://www.nytimes.com/2011/04/05/business/05hack.html