Epsilon is working with federal authorities and outside forensics experts to investigate the marketing firm's recent e-mail address security breach, Epsilon parent company Alliance Data Systems Corp. said in a statement this week.
Approximately 2% percent of Epsilon's clients were affected by last week's breach, which involved an unauthorized entry into its e-mail system and the compromising of millions of clients' customer names and e-mail addresses, Alliance Data said.
Epsilon manages customer e-mail databases for more than 2,500 clients including large financial institutions and retailers.
Alliance Data confirms that based on "rigorous internal and external reviews," the compromised data is strictly limited to customer names and e-mail addresses. Since the breach, access to Epsilon's e-mail system has been restricted further and its security protocols have been under review, the statement read.
"While we can't reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets – their customers," Alliance Data CEO Ed Heffernan said in the statement. "Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency."
Alliance Data also said the company's biggest concern following the breach is a potential client loss. Epsilon's e-mail marketing campaigns have resumed and e-mail volumes are not expected to be significantly impacted, the company said.
While credit unions are not amongst the reported Epsilon clients affected by the breach, several CUs are warning their members against phishing scams in response to the incident.
Credit unions including the $1.9 billion HarborOne CU of Brockton, Mass., the $551 million Y-12 Federal CU of Oak Ridge, Tenn., the $729 million TwinStar CU of Olympia, Wash., and the $434 million iQ CU in Vancouver, Wash., posted messages on their websites stating that while they have no affiliation with Epsilon, members who have opted-in to an Epsilon client e-mail marketing list could be at risk of e-mail phishing scams.
Andrew Jaquith, CTO for Connecticut-based information security vendor Perimeter E-Security, said since customer names and e-mail addresses were the only data compromised, the incident's impact on Epsilon clients and their customers will be minor.
But he says the breach is "embarrassing" for Epsilon and indicates flaws in the company's security.
"The fact that the attackers could obtain such a vast quantity of information means that they compromised Epsilon's security to get it," Jaquith said.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Natasha Chilingerian
Natasha Chilingerian has been immersed in the credit union industry for over a decade. She first joined CU Times in 2011 as a freelance writer, and following a two-year hiatus from 2013-2015, during which time she served as a communications specialist for Xceed Financial Credit Union (now Kinecta Federal Credit Union), she re-joined the CU Times team full-time as managing editor. She was promoted to executive editor in 2019. In the earlier days of her career, Chilingerian focused on news and lifestyle journalism, serving as a writer and editor for numerous regional publications in Oregon, Louisiana, South Carolina and the San Francisco Bay Area. In addition, she holds experience in marketing copywriting for companies in the finance and technology space. At CU Times, she covers People and Community news, cybersecurity, fintech partnerships, marketing, workplace culture, leadership, DEI, branch strategies, digital banking and more. She currently works remotely and splits her time between Southern California and Portland, Ore.
