‘We regret to inform you’: Epsilon breach letters you don’t want to see

“We regret to inform you …” are five words you never want to see in an email. But over the weekend thousands of people did as Epsilon began warning its customers that it had suffered a break-in and email addresses were stolen. Epsilon now says that about 50 of its client businesses were hit — no small number as Epsilon blasts some 40 billion messages in their names each year.

The problem is that now security experts warn that a ton of spear-phishing attacks will be forthcoming. And then there might be more letters of regret.

RATING APOLOGIES: Deep regrets, from TJX to ChoicePoint, about data leaks

So in case you didn’t see one of these flaccid attempts to assuage customer nervousness, here are a few:

Target

Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement.

While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised. Target would never ask for personal or financial information through email.

Consider these tips to help protect your personal information online:

• Don’t provide sensitive information through email. Regular email is not a secure method to transmit personal information.

• Don’t provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email.

• Don’t open emails from senders you don’t know.

We sincerely regret that this incident occurred. Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information. Please contact Guest.Relations@target.com should you have any additional questions.

Sincerely,

Bonnie Gross

Vice President, Marketing and Guest Engagement

Red Roof Inn

Dear Guest,

We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system. We use our email service providers to help us manage the large number of email communications with our guests. Our email service providers send emails on our behalf to guests who have chosen to receive email communications from us.

How will this affect you? First, we want to assure you that your name and email address were the only information that was compromised. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information. As a result, you should be extremely cautious before opening links or attachments from unknown third parties or providing a credit card number or other sensitive information in response to any email. Also know that Red Roof will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from Red Roof.

We appreciate your business and loyalty to Red Roof and take your privacy very seriously. We will continue to work diligently to protect your personal information.

If you have any questions regarding this incident, please contact us at 877.733.7663 between the hours of 9am and 5pm Eastern.

Sincerely,

Brenda Eddy Manager, Loyalty Marketing

Red Roof Inns, Inc.

BJ’s

Dear Customer,

Re: Important information regarding a breach to the privacy of your email address.

Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that included your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.

Epsilon has assured us that the only information that was obtained was your name and email address. Please be assured your account and any other confidential or personally identifiable information were not at risk.

It is possible you may receive spam email messages as a result which could potentially ask you for additional information about your account. Please note, Barclays will never ask you in an email to verify sensitive information such as your full account number, Username, Password or Social Security Number. Therefore, any email which does so should be treated suspiciously, even if it looks like it comes from Barclays. As a reminder, we urge you to be cautious when opening links or attachments from unknown third parties.

Barclays is one of many companies affected and so you may receive similar notifications from other companies.

Please visit the “Privacy and Security” section at our website www.BarclaycardUS.com for more information on protecting your personal information.

We sincerely regret this has taken place and for any inconvenience this may have caused you. Barclays is committed to protecting customers against the misuse of their personal information and we take security issues very seriously. We vigorously monitor the security of our systems and require all third party vendors to adhere to strict security and privacy policies and procedures.

Please know that a full investigation of this matter is under way by Epsilon and we will continue to work diligently to protect your personal information.

If you have any questions or need further assistance, please call our customer care center at the phone number on the back of your credit card.

Sincerely,

Larry Drexler

Chief Privacy Officer

Barclays Bank of Delaware

Karen Smithson

Information Security Officer

Barclays Bank of Delaware

Kroger

Dear XXX

Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

If you have concerns, you are welcome to call Krogers customer service center at 1-800-Krogers (1-800-576-4377).

Sincerely,

The Kroger Family of Stores

The Kroger Co.

1014 Vine Street

Cincinnati, OH 45202

Marriott

April 4, 2011

Dear Marriott Customer,

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.

We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.

Please visit our FAQ to learn more.

Sincerely,

Marriott International, Inc.

Best Buy

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit: http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge

Executive Vice President & Chief Marketing Officer

Best Buy

Chase

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

As a reminder, we recommend that you:

• Don’t give your Chase OnlineSM User ID or password in e-mail.

• Don’t respond to e-mails that require you to enter personal information directly into the e-mail.

• Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.

• Don’t reply to e-mails asking you to send personal information.

• Don’t use your e-mail address as a login ID or password.

The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

Sincerely,

Patricia O. Baker

Senior Vice President

Chase Executive Office

McKinsey Quarterly

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have any questions or concerns, please contact McKinsey Quarterly at info@mckinseyquarterly.com. For any media inquiries, please contact Humphrey Rolleston at +1-212-415-5321.

Sincerely,

Rik Kirkland

Senior Managing Editor

McKinsey & Company

Brookstone

Dear Valued Brookstone Customer,

On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Brookstone Customer Care

Read more about wide area network in Network World’s Wide Area Network section.