Warning: Email Data Breach Hits Best Buy, Walgreens, Disney, Citibank

Customers of companies from Best Buy, Walgreens, and the Ritz Carlton to Tivo, and even Disney, beware. Those are just a few of the latest firms to be hit by hackers, resulting in the release of the names and email addresses of thousands of consumers to unauthorized people.

Customers of companies from Best Buy, Walgreens, and the Ritz Carlton to Tivo, and even Disney, beware.  Those are just a few of the latest firms to be hit by hackers, resulting in the release of the names and email addresses of thousands of consumers to unauthorized people.

The data breach occurred last Thursday and reportedly hit more than 15 of the U.S.’s largest consumer chains and firms, including credit-card issuers Capital One, Citi, JPMorgan Chase and US Bank, all managed by Epsilon, a leading online marketing company.

While no financial information was compromised, the major concern is that the emails and names of affected consumers could be used for “phishing” schemes.

J.P. Morgan Chase & Co. and supermarket chain Kroger Co. were among the first to announce on Friday that they were victims of the hack, followed by statements from TiVo and Walgreen on Saturday saying some client data had been breached.

In an email to customers, Citi explained that Epsilon is “a third-party vendor that provides marketing services to a number of companies.”

Best Buy posted took to social media to reach its customers directly, posting a link to a statement Sunday on Twitter, followed by an email to customers on Monday warning them of the security breach.

“On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization,” wrote Barry Judge, Best Buy’s chief marketing officer, in the email.

The impacted companies, including Best Buy, also reminded customers to remain alert to unusual emails and ignore any e-mails asking for confidential information.

“In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com,” Judge wrote. “If you receive an email asking for personal information, delete it. It did not come from Best Buy.”

Epsilon, based in Dallas, issued a statement on its website saying the incident took place on March 30 when “a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only.”

The company also said “a full investigation was under way” of the breach.

A major player in the online marketing field, Epsilon sends more than 40 billion emails each year to the customers of its more than 2,500 clients, according to Security Week.

A full list of the affected companies, as reported by Security Week:

•                Ameriprise Financial

•                Best Buy

•                Brookstone

•                Capital One

•                Citi

•                Disney Destinations

•                Home Shopping Network

•                JPMorgan Chase

•                Kroger

•                LL Bean Visa Card

•                Marriott Rewards

•                McKinsey & Company

•                New York & Company

•                Ritz-Carlton Rewards

•                TiVo

•                The College Board

•                US Bank