Polo Ralph Lauren Corp. was among numerous companies affected by a massive e-mail breach at Epsilon, the Irving, Tex.-based multichannel marketing services firm.
Epsilon, which sends 40 billion e-mails annually on behalf of more than 2,500 clients, said customer information from 2 percent of its clients was compromised in a data breach, which was detected March 30. The information that was obtained was limited to e-mail addresses and/or customer names only. An assessment showed that no other personal identifiable information was at risk. A spokeswoman for Epsilon said she couldn’t comment further while the company conducts an investigation and cooperates with authorities.
According to security experts, the breach could result in an onslaught of phishing attacks — e-mails that purport to be from a legitimate business but are used to steal information such as passwords, account numbers and credit card information.
An e-mail Thursday night sent to Polo Ralph Lauren customers said the company had been recently informed that “an unauthorized third party” gained access to an Epsilon e-mail application and obtained names and e-mail addresses of Polo Ralph Lauren customers. “We have been informed by Epsilon that the company took immediate action to address the system vulnerability and is working with the U.S. Secret Service to investigate. We regret that you may have been affected by this,” said the e-mail.
Polo pointed out that no payment card information or Polo Ralph Lauren account information was acquired as a result of this incident. “Nevertheless, we strongly encourage you to remain vigilant when reviewing e-mails that you receive, particularly e-mails that request sensitive personal or financial information. We take our obligation to safeguard your personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself,” said the e-mail. The e-mail gave several tips, such as “do not provide sensitive personal or financial information using e-mail,” and “do not open e-mails from senders you do not know.”
A spokesman for Polo declined further comment, but said the company stopped using Epsilon last year.
A list published by Security Week named several companies in the retail and apparel industry that were affected by Epsilon’s security breach. They include Lacoste, Marks & Spencer (U.K.); New York & Co., Target, Bebe Stores and Eddie Bauer. These are in addition to companies such as J.P. Morgan, Kroger, Capital One Financial, Barclay’s Bank, The College Board and TiVo which have acknowledged that their customers’ data may have been accessed by hackers.
This is the second online security breach impacting companies in the industry. In one of the biggest data breaches in history, hackers stole information on 45.7 million credit and debit cards from TJX Co.’s computer system in 2005 and 2006. In addition to credit card numbers, personal information such as social security numbers and drivers’s license numbers were downloaded by the intruders. TJX set aside $171.5 million to deal with costs related to the computer intrusion. Albert Gonzalez, the computer hacker behind the TJX theft, as well as several others, was sentenced to 20 years in prison on March 25, 2010.