M&S data stolen in Epsilon breach

gallery

Marks & Spencer has warned customers their email addresses have been leaked, thanks to a huge breach at US marketing firm Epsilon.

The retail giant emailed customers saying they could expect more spam messages, after addresses were leaked after the hack on Epsilon on 30 March.

Customer email lists from a wide range of major corporations were taken, including hotel chains Marriot and Hilton. It was thought most affected businesses were US based.

M&S confirmed no other personal information, outside names and email addresses, were stolen.

“We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation,” the firm said in its email.

Although spam could be an issue for customers hit by the breach, targeted malware attacks are another worry.

“Today, data theft accounts for 33 per cent of all attacks and although an increase in spam is an obvious outcome, not so obvious is the increased risk of targeted malware attacks seeking to infiltrate company systems,” said Paul Davis, director of European operations at FireEye.

“The loss of personal data is the initial step in a series of potential exploits from mass spam through to advanced targeted malware, which seeks to establish a beachhead within corporate systems for subsequent exploit and data exfiltration.”

Frank Coggrave, Guidance Software’s general manager for EMEA, said the Epsilon hack highlighted a wider trend in the industry.

“The significant knock-on effect to big name Epsilon customers, including Marks & Spencer and hotel chains Mariott and Hilton, highlights that no one is safe from these increasingly sophisticated and targeted attacks,” Coggrave said.

“Since attacks consistently break through even the toughest of security systems, organisations need to focus on deploying incident response plans to mitigate the effects.”

A number of high profile attacks have hit major corporations over the past month, including an Advanced Persistent Threat strike on security firm RSA.

Email to a friend

Print this page