Big US names such as Citigroup and Walgreen have been left reeling after a data breach at an online marketing affiliate resulted in customers' details being exposed.
In what could be one of the biggest such breaches in US history, a diverse swath of companies that did business with online marketer Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.
Video recorder TiVo, credit card lender Capital One Financial and teleshopping company HSN all added their names to a list of targets that also includes some of the nation's largest banks.
The names and electronic contacts of some students affiliated with the US-based College Board - which represents some 5,900 colleges, universities and schools - were also potentially compromised.
No personal financial information such as credit cards or social security numbers appeared to be exposed, according to the company statements and emails to customers.
Epsilon, an online marketing unit of Alliance Data Systems, said on Friday that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion email ads and offers annually, usually to people who register for a company's website or who give their email addresses while shopping.
"We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorised individual or individuals," HSN, also an e-commerce operator, said in an email to customers on Sunday.
"This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."
Citigroup customer names and some credit card customers' email addresses - but no account information - were part of the data breach, the third-largest US bank said on Saturday.
The College Board, which administers the SAT admissions tests, on Saturday warned students about the breach and asked them to be cautious about receiving "links or attachments from unknown third parties," according to two emails reviewed by Reuters.
The not-for-profit organisation is in contact with more than seven million students, according to its website. It did not immediately return calls for comment.
Probing for answers
Law enforcement authorities are investigating the breach, though it was unclear on Sunday how many customers or students had been exposed. Epsilon is also looking into what went wrong.
"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."
Capital One, which also runs a bank, and Walgreens, the largest US drugstore, said the Epsilon hacker accessed its customer email addresses, but no personally identifiable information.
TiVo, a maker of digital video recorders, said the information that was obtained was limited to email addresses and clients' first names.
The incident comes three years after hackers penetrated Heartland Payment Systems, a credit and debit card processor, in one of the biggest identity-theft cases in US history.
In that case, notorious hacker Albert Gonzalez led a ring that stole more than 40 million payment card numbers, and was later sentenced to 20 years in prison.
On Friday, JPMorgan Chase & Co, the second-largest US bank, and Kroger, the biggest US supermarket operator, said that some customers were exposed as part of the Epsilon data breach.
Citigroup announced that it had been affected on Saturday evening. Spokesman Sean Kevelighan said the bank started informing its customers of the breach on Friday through a link on its website.
Some of Epsilon's other clients include Verizon Communications, Blackstone Group LP's Hilton Hotels, Kraft Foods, and AstraZeneca.
Return to security news headlines
View Security News Archive