Epsilon, spammers in expensive suits

I have to admit I had been feeling a bit left out. Everyone I knew was getting emails and letters from companies they do business with warning them about the Epsilon Data Management email breach and what might happen to them.

[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. ]

So it was quite a relief when I opened up an email from Marriott yesterday and read the following:

Dear Marriott Customer,

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.

We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.

I’m not such a digital loser after all. Epsilon spews out some 40 billion commercial emails a year (all legally, I might add); you’d have to be a hermit living in a cave to not be touched by this.

According to the company, hackers stole the email addresses for less than 2 percent of its clients, but if Epsilon happens to know which 2 percent, the company hasn’t been talking about it. Epsilon posted an extremely terse, detail-challenged press release announcing the breach on April 1 (talk about your April Fools) and hasn’t said much since.

Epsilon’s client roster reads like a who’s who of corporate America: JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, U.S. Bank, Citi, Ritz-Carlton Rewards, Brookstone, Walgreens, the College Board, the Home Shopping Network, Target, TiVo, and at least a dozen more.

How did Epsilon get its grubby fingers on my email address in the first place? Fortune 500 firms desperately want to keep an electronic leash on their customers, but they don’t have a clue how to do it. Intead, they outsource the job to companies like Epsilon, sharing their massive customer databases with these marketers, who are contractually obligated to keep that data secure. (Apparently Epsilon didn’t read the fine print.)

In most cases, all the hackers got was a name and an email address. What bad things could happen? Aside from the fact this data is going to get sold and resold a thousand times to various spammers, the smart money says it will also likely be used for spear phishing campaigns aimed at select customers. My bet is that Epsilon’s banking clients will the first to be phished, since that’s the fastest route to money.

If you think you’re too smart to fall for a spear phishing attack, remember: Spear phishing is allegedly how Chinese hackers got access to Gmail passwords. If Google can be fooled, so can you.

Epsilon isn’t exactly a warm and fuzzy company to start with. MSNBC’s Bob Sullivan quotes Epsilon veep Tony Cheung whining about “trigger happy” Americans who label everything spam, even when it legally isn’t:

A big part of Epsilon’s job is convincing Internet service providers that the e-mails it sends on behalf of brand-name companies aren’t spam. Annoyed recipients will trigger consumer complaints and spam reporting, which can cause a red flag at an ISP and ultimately disrupt an e-mail campaign.

Tony Cheung, an Epsilon vice president based in China, lamented in a recent column on the firm’s site about Americans’ “indignation response” to unwanted e-mails.

“Few Chinese e-mail users actually click to unsubscribe unwanted inbound mails, in stark contrast to the far more trigger-happy Americans and Europeans,” he wrote.

The reason unwanted commercial email isn’t technically spam is thanks to some extremely weak antispam laws. Essentially, if you’ve ever done business with a company at any time in the past and you made the mistake of providing them your email address, they can send you as much unsolicited email as they want — at least, until you tell them to stop. Even if you’re not a customer, they can email you out of the blue, and as long as they follow a few simple rules (such as provide a valid subject line, name, address, and working unsubscribe option) they can fill your inbox until you scream “no mas.”

Technically, that’s not spam. But on a practical basis, it is — hence the “indignation response” we annoying Americans have to this problem.

You want indignation, Epsilon? You ain’t seen nothing yet.

The safest path: For the foreseeable future, if you get any emails from any corporate entity that aren’t in response to a request you’ve made, assume they are spam and delete with extreme prejudice. You might miss out on a few deals, but you’ll be a bit safer — and you’ll wreak havoc with the business models of Epsilon and its spammy brethren.

Ever had your data breached by some company you’ve never heard of before? Post your tale of woe below or email me: cringe@infoworld.com.

This article, “Epsilon, spammers in expensive suits,” was originally published at InfoWorld.com. Track the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter. For the latest business technology news, follow InfoWorld.com on Twitter.