Skip to main content

Major e-mail data breach occurs at mega-marketer

By now, you've probably received one or more emails like this:

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:


Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy

We'll explain after the jump --

Epsilon is a subsidiary of Alliance Data of Dallas, with an office in the Boston area, and is one of the largest providers of permission-based email marketing services in the world. Over the weekend, it notified customers that it had experienced a hack of its email system.  Epsilon has a roster of A-list clients and this breach is impacting practically anyone who has ever signed up to receive a retail offer or alert through their email account.   As of this morning, the list of affected companies includes financial services institutions such as Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank, through its LL Bean Visa card. Epsilon sends over 40 billion emails annually on behalf of clients.

In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retailers  Best Buy, Home Shopping Network, Walgreens, Brookstone, New York & Company, and Kroger.  To round out the eclectic group, the consulting giant McKinsey, The College Board, Robert Half International and Disney Destinations were also part of the confirmed list.

We've discussed at length what constitutes a breach under the state data breach notification laws.   Each law requires the unauthorized access or disclosure of some information in addition to an email address.   However, the scope of the Epsilon breach has its customers concerned that these email addresses could be use to launch targeted phishing attacks against unwitting consumers who have otherwise given permission to the banks and retailers and could then be used to gain access to other, more dangerous, personal information.  Such attacks are otherwise known as "spear fishing."

As breaches go, the amount of information exposed is very limited.  Marriott Rewards customers received similar reassurances, as only email addresses were stolen, and passwords, credit card information, member addresses and point balances remained safe. Other affected clients sent out similar messages over the weekend, and more are expected as Epsilon continues its investigation.

What to watch for --

  • "Security alert" emails from a bank or other retailer notifying you that your account has been compromised and you must click through to a link to reset.  It will ask you for specific account information.
  • Any email from one of the affected entities that asks you to click through to another link.  Examine the entire URL carefully before giving out account information.
  • Don't click through to any links in email if you did not expect to receive an email about your account.  The links may be inserting malware into your network.

To read more about this hack:




Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.