Epsilon announced the breach April 1, updating it yesterday to note the breach affected about two percent of its clients.
(Epsilon gets props for announcing the breach in a release on its website, rather than just telling its clients and ignoring potential victims among the public, or sending out a press release and then clamming up. Still, the announcement of a major security breach is about a third the length of the announcement a week earlier that it had hired two new execs to lead its retail marketing business. Priorities. )
Epsilon belongs to $2 billion/yearAlliance Data Systems Corp, which runs customer-loyalty programs, retail customer-data-marketing services, and, through Epsilon, direct-email marketing campaigns for "over 2200 global brands such as Hilton Hotels, Verizon, New York & Company, Kraft, KeyBank, and AstraZeneca."
With verified emails, spammers or spear phishers can direct scams at actual customers and, if they put in the extra work to add personal-identity information from personal-data brokers or online-activity records to build more complete profiles of individual consumersin order to target them more specifically.
The breach is a warning to companies that use outside service providers for commercial email and other services, according to a GovInfoSecurity story on the potential liability of companies owning the stolen data.
Email address lists aren't considered as sensitive as financial or medical data, so they tend not to be as tightly secured in encrypted databases or high-security servers.