Citibank, JP Morgan Chase and the Kroger supermarket chain are warning customers that their names and e-mail addresses may have fallen into the wrong hands after someone broke into computer systems at e-mail marketing giant Epsilon.
Epsilon, whose other customers include Visa, Kraft, and Marriott International, acknowledged the incident in a brief statement Friday. "On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," Epsilon said. "The information that was obtained was limited to email addresses and/or customer names only."
Epsilon said it doesn't believe any other personal information was compromised, but it is now working with authorities on an investigation, a company spokeswoman said Friday.
Epsilon only learned of the breach on Wednesday and it is unclear yet how serious the issue is. On Friday, spokespeople for Chase and Epsilon declined to say much beyond their prepared statements.
In a letter to customers, Kroger said customer names and e-mail addresses were stolen. "As a result, it is possible you may receive some spam email messages," Kroger said. "We apologize for any inconvenience. Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted," the letter states.
Epsilon sent 6.5 billion e-mail marketing messages in 2009, but the company also runs loyalty programs for Citi and Chase credit card users, and the kind of information stored in its databases could be extremely valuable to criminals looking to steal banking information in phishing attacks.
Because of the risk of phishing, customers should be sure to check the Email Security Zone at the top-right of Citibank emails to be sure their correct name and the last four digits of their card number appear there, Citibank said Friday.
The information obtained in the breach "was limited to customer name and email addresses of some credit card customers," Citibank said in a statement. "No account information or other information was compromised."
Epsilon told Chase that none of its customers' financial information was compromised, the bank said Friday in a press release.
Kroger has posted a frequently asked questions document about the incident.
Marriott could not immediately be reached for comment.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com