Unfortunately, Epsilon’s April 1 press release was no joke. The data included “email addresses and/or customer names only.” The release does not provide any detail about why they’re saying “and/or.”
Epsilon blames “unauthorized entry” to its email system. That’s different from the problem I found with the IntoNow app last week that required no intrusion to reveal user e-mail addresses.
Epsilon is still investigating, but says it is sure no other customer data was accessed. TiVo says Epsilon does not have access to credit card details, which makes sense to me if Epsilon only provides e-mail service.
I got TiVo’s notification late Saturday night while sitting around a campfire in the wilds of Fall Creek Falls State Park, TN (a.k.a. The Land That 3G Forgot). I found a rare spot in camp with Edge service and checked e-mail while updating our group on the Kentucky-UConn score. I saw TiVo’s note and nearly dropped my toasted marshmallow from surprise. It looks like TiVo is being up front and sending plenty of notifications. I have two TiVos under one account and received three e-mails between Saturday evening and Sunday morning. TiVo’s note specifically says only only “first name and/or e-mail addresses” were revealed.
There have been some reports that Disney’s customers were included, but the Bizjournals article is more specific and says it was Disney Destinations, so to me that suggests e-mail addresses from Disney TV networks such as ABC were probably not exposed. Various online reports say other Epsilon customers exposed include Best Buy, Kroger, JP Morgan Chase, Walgreen, Capital One Financial, McKinsey & Co. and more. You might see the list grow on Monday if some companies were not nimble enough to act over the weekend.
As always, just because you get an e-mail from someone who knows your name and a little bit about you does not mean it’s legitimate. Unfortunately for the rest of us, these missteps make it harder to gain customer trust.
UPDATE: Here is the Best Buy e-mail I received Monday morning. Note that it says only e-mail addresses may have been accessed, but not names as with TiVo customers.