recent work

Update on US Epsilon security breach – Marks and Spencer UK customers affected

Marks and Spencer has confirmed that their customers could have been compromised in the giant data attack on email marketing firm Epsilon earlier in the week, and is the first UK company to admit as such.

Customers were told by Marks and Spencer to expect unsolicited spam emails, and were  urged to “take (their) privacy seriously”.

The admission by Marks and Spencer could spark an investigation by the Information Commissioner’s Office (ICO) in the UK – companies which pass UK citizens’ personal details to US-based companies are required to ensure that the destination has a proper “safe harbour” arrangement to safeguard the data to European standards. An ICO spokesman said: “We are making enquiries to determine whether a breach of the Data Protection Act has occurred.”

Approximately 2% of the companies (50) Epsilon works for are assumed to have been affected, with Barclaycard, Capital One and Hilton Hotels included.

“Given the phishing activity it feels like a hacker crime ring,” said Kevin Rowney, the director of breach response at security firm Symantec. “It’s not a nation state or an intelligence agency. It’s clearly someone interested in profit from this data.” It would be weeks before investigators could identify the attackers, he added.

To be continued…