Nonprofits Might Have Escaped Epsilon Data Breach

Millions of records of customer data were breached last week after hackers penetrated the email system of a direct marketing vendor also used by some of the nation’s largest charities.

It’s unclear whether any nonprofits were affected by the breach, however, Epsilon, the online, email marketing division of Dallas-based Alliance Data Systems (ADS), issued a statement. An incident was detected on Thursday “where a subset of clients’ customer data were exposed by an unauthorized entry into its email system.” The information obtained was limited to email addresses and customer names only. “A rigorous assessment determined that no other personal, identifiable information associated with those names was at risk. A full investigation is underway.”

Several large corporations — including Best Buy, TiVo and Walgreen, Kroger and JP Morgan Chase — alerted customers to the breach but whether or not some nonprofits’ data were breached remains unclear. “As we conduct a thorough investigation and cooperate with authorities, we are unable to comment any further,” said Jessica Simon, an Epsilon spokesperson said, unable to confirm whether any impacted clients were nonprofits. In a press release April 4, Epsilon estimated approximately 2 percent of its total clients were affected and is a subset of those clients that use Epsilon’s email services.

Among Epsilon’s nonprofit clients are the San Diego Zoo, Save the Children, March of Dimes Foundation and The Smithsonian. Westport, Conn.-based Save the Children Federation in 2008 spent some $808,000 with the firm for fundraising counsel. Last year, the firm won a Gold MAXI Award from the Direct Marketing Association of Washington for Save the Children’s Special Gifts Summer Challenge Appeal. Save the Children was contacted by Epsilon in the days after the breach to confirm that their data had not involved in the breach.

The Smithsonian in Washington, D.C., spent $2.2 million, according to its tax forms, for direct mail acquisition, retention and donation programs and Epsilon has run the membership program for 35 years for the San Diego Zoo, its longest tenured client. Contacted by Epsilon on Monday morning, the San Diego Zoo (SDZ) had not been compromised. “It looks like we have not been affected by this disruption and have been assured by Epsilon that our data was on a different server than the affected one,” said SDZ spokesperson Yabira Galindo.

The University of Texas MD Anderson Cancer Center, in Houston, was alerted about the breach on April 1 via a press release by ADS. Spokesperson Sarah Watson said the data firm has no contact with the hospital’s constituents via email so there was no information to take.

March of Dimes last year spent $2.2 million with Epsilon on “data processing,” according to its tax forms. The White Plains, N.Y.-based charity uses the firm for email deployment marketing campaigns and confirmed that it was unaffected by the breach, receiving notice from Epsilon by email late Friday night.

Best Buy Tweeted a link to its statement about the breach on Sunday morning and others warned their customers that they may receive phishing scam emails as a result of the breach, which is likely to affect millions of customers.

Epsilon was trending as the seventh most popular topic on Twitter Monday morning. Shares of ADS dipped in early trading this morning, down as much as 5 percent within the first hour that markets opened. ADS acquired Epsilon in fall 2004 for $300 million.