Data Breach Escalates Privacy Concerns


NEW YORK (MainStreet) – Like many American consumers, I received emails from a few retailers last week informing me that my email address may have been stolen as a result of a massive data breach. Target (Stock Quote: TGT), for instance, sent me an email saying that “Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry.”

Walgreens (Stock Quote: WAG) sent me a similar email, saying “On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.”

Like many Americans, I had two questions: What does this breach mean for my privacy? And who are these Epsilon people that retailers have given my email address to?

The answer to the first question is somewhat comforting. For now it seems that only email addresses and names were leaked as part of the breach, which means that the only real fallout from the breach will likely be increased spam and phishing attempts. As long as you’re vigilant about not giving out personal information to emailers purporting to be retailers or financial institutions, there’s likely little concern that this could precipitate widespread identity theft.

But the answer to that second question is a bit more complicated.

As Walgreens’ and Target’s emails say, Epsilon is an email service provider contracted by the retailers to handle their mass marketing duties; Chase (Stock Quote: JPM), which was likewise involved in the breach, described the company as simply “a vendor we use to send emails.”

But as the laundry list of huge retailers and banks contracted with Epsilon might indicate, this is not just another email marketer. In a press release finally apologizing for the breach on Wednesday, Epsilon’s parent company Alliance Data describes itself as “North America's largest and most comprehensive provider of transaction-based, data-driven marketing and loyalty solutions serving large, consumer-based industries.”

According to the company’s own metrics it made $2 billion in revenue in 2009, helped along by Epsilon’s contracts with “2,200 global brands.” And an Alliance spokesperson confirmed that Epsilon is the world’s largest provider of permission-based email marketing of the sort used by retailers.

So why have so few people heard of the company until now?

In short, because most of the retailers don’t tell you about their relationship with the firm when you sign up to receive email updates. Take Best Buy’s privacy policy, for instance: it does not mention Epsilon or Alliance by name, only noting that “in limited circumstances, Best Buy may need to share your information with certain third parties to perform services on our behalf.” Other retailers and institutions that use Epsilon are similarly vague about the fact that an outside firm is in possession of user information. 

“I don’t think most consumers have the expectation, when they give their email address, that that information is going to be shared with a large marketing firm,” says Paul Stephens, director of policy and advocacy for the non-profit group Privacy Rights Clearinghouse. That, he says, is due to the fact that the U.S. does not have an overarching privacy law governing these sorts of disclosures.

That said, it’s not unreasonable to expect companies large and small to contract an outside firm for its email marketing and other administrative duties. Indeed, one could even argue that it’s comforting to know that your contact information is in the hands of a third party that specializes in email list management. After all, such a specialized firm would presumably be better equipped to keep that sort of data more secure than, say, the IT department for a big-box retailer.

But Julie McNelley, a senior analyst at the Aite Group, a research and advisory firm, said that the data breach shows that Epsilon’s email database was not encrypted – a practice that she says reflects an outdated mentality toward email addresses.

“They were not treating email addresses as a valuable data element,” she says. “Email in the past wasn’t considered sensitive identifying information, but now a lot of sites use your email address as the default username for login.”

In other words, email isn’t just a place where you get messages – it’s also used in transactions which you’d like to be secure. And when that’s combined with some people’s poor personal security practices like using the same password for multiple websites, it becomes clear that the leak of an email address has the potential to be more serious than an inbox full of spam. Furthermore, security experts note that having the addresses associated with specific retailers or banks could allow for even more targeted phishing attempts.

Even putting aside the data breach, some privacy advocates expressed concern over a single marketing firm being in possession of so much consumer data. Stephens, for instance, says that a firm of Alliance’s size could hypothetically associate browsing and shopping habits with a consumer’s email address, then sell that data to other retailers who do business with the same consumer. Still, he stopped short of accusing Epsilon of such practices, and an Alliance spokesperson insisted that account information was never used for purposes beyond management of email lists.

It’s unclear, then, whether the average consumer should be concerned that Epsilon – a company previously unknown to most Americans – is in possession of so much consumer contact information. A spokesperson said that the company has “already started implementing changes” to its security procedures, though she refused to elaborate or say whether email addresses would henceforth be encrypted.

If there is a silver lining to this whole sordid affair, it’s that consumers are finally aware that when you give your email address to your favorite retailer, it doesn’t necessarily stop there. In most cases it will wind up with a third-party email marketing firm, and as we’ve seen last week, it may subsequently fall into the hands of spammers.

In the absence of regulations over a retailer’s ability to share user information with third parties, what consumers will do with this newfound knowledge will boil down to each person’s ideas over how private they want their information to be.

—For the best rates on loans, bank accounts and credit cards, enter your ZIP code at

Show Comments

Back to Top