M&S data breach – you’re putting your trust in Epsilon

Some brands I trust, some brands I don’t. But what can we do when the brands who breach our trust are ones we’ve never heard of? I’m talking to you, Epsilon. It’s lost a number of brands’ customer details, including M&S.

Recently Dan Moore tried to explain why it’s not OK for companies to respond to a data breach by saying ‘oops’ – we need a lot more reassurance than that. But since then there’s been another huge data breach, and we’re still getting the same watered-down message.

People, such as our Twitter followers Lombear and SoElusive, have started receiving emails from Marks & Spencer, apologising for a breach at the company that handles some of their customer data. The company? Epsilon. Epsilon was targeted by hackers, who collected millions of names and email addresses from their clients.

Make the companies pay?

Last time we talked about this, a few people suggested that the best way to solve the problem was to financially punish the companies involved.

Louise told us that ‘as long as the cost of proper data control is high, but the cost of losing the data is low then companies will continue to adopt a “make do and mend” approach to data control.’ Dieseltaylor even suggested that ‘everyone who has their email addresses stolen by a hacking attack needs to be reimbursed say £10-25.’

Not everyone was so worried – Rarrar thinks that having your email data stolen is ‘probably a fact of life’ if you want to use some of the internet services on offer.

But my favourite comment came from Kenward, who has set up an email-forwarding system that lets him give a unique address to each company. This means he can identify where each spammer got his details from – clever, no?

Don’t talk to strangers

The thing that really bothers me in this case is that most of us hadn’t heard of Epsilon until they started losing data left, right and centre.

It’s not just M&S. Many US companies, such as Capital One, BestBuy and Citibank have been affected too. All of these are big household names, each asking customers to put their trust in a network of potentially unreliable suppliers.

We put our faith in these large brands, giving them our names, email addresses, and credit card details, only because they’ve spent years building up that trust. In the case of M&S, it’s a family name and an ethical brand to whom I don’t mind handing over my details.

But I’ve never heard of Epsilon – I don’t know if they are good or bad at handling data. So when they breach my trust, I need exactly the same reassurances that they are presumably giving to their clients. Epsilon will no doubt be grovelling to M&S right now, explaining what happened and why it won’t happen again – so why can’t I, the customer, have the same?

And while they’re at it, I wouldn’t mind if they followed Louise and Dieseltaylor’s suggestions too and threw in a bit of compensation.

jo g says:

8 April 2011

“We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk. We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result.”

Thanks guys! I’ve just STOPPED all my spam (changed email address), so this will be most welcome. Spam, I miss you! (Though I get plenty at work, including a large quantity in French!)

Lombear says:

I use a similar method in that every email address I give a company is unique. And now I can send the M&S and Mothercare ones straight into deleted items. One thing about this method is that you should not use just the name of the company ie mothercare@yourdomain.co.uk as that is a target for spammers (ie they send emails to mothercare@everydomain.co.uk). Best thing to do is use the name and another element – for example MOO – mothercareMOO@yourdomain.co.uk.

I received emails from both Mothercare and M&S yesterday regarding the Epsilon leak – and last month from play.com – The general tone of the emails is insulting as they inevitably say they take their data responsibilities seriously – They obviously don’t as they have farmed out the service to a supplier who passed their checks but who was vulnerable. They need to take this seriously and now and penalties are the way to go. The ICO is essentially useless – I have never received a response to a complaint made. Time for some robust legislation and for that to be followed up.

Nikki Whiteman says:

Lombear – I love that system. I’m very tempted to set one up myself when I can find time, as I am always baffled about where people get my addresses from!

I also wanted to add that of course M&S aren’t the only UK company that has been affected by the Epsilon data breach. Lots of other companies (mostly based in the US) have already sent emails to their customers letting them know they might be affected. Among the other companies affected: Mothercare, Barclays Bank, Citibank, Abe books, and Marriott hotels.

Please do let us know in this thread if you get any more of these emails – we’d like to know who has been affected!

Simon says:

You can do something similar to the suggestion above that mentions Mothercare using Gmail. Their system allows you to add anything you want after your username with a + sign, and the emails still get delivered to you.

So for example when you register with M&S you could put yourusername+mands@gmail.com, and it will be delivered to yourusername@gmail.com.

I wish I’d done this in the past, before M&S let my details get stolen.

Hannah Jolliffe says:

11 April 2011

That’s great advice – thanks Simon, I didn’t realise you could do this.

clint kirk says:

That’s better than nothing (and free), but unfortunately some spammers already know this, and when they see an email address matching the pattern X+Y@gmail.com they automatically convert it to X@gmail.com.

rarrar says:

Its not that I was “not worried” about the loss of my email address but that I was resigned to it occurring !
Its the modern equivalent of having your name and address put on Junk mail mailing lists by companies selling their mailing lists or passing them on to “affiliated companies”.
However the good news is that its much easier to change or drop an email address than change your home address !

13 April 2011

Hi rarrar – sorry, I didn’t mean to imply that you weren’t worried at all! It’s obviously worrying for everyone, even when we’ve resigned ourselves to getting spam no matter what.

You’re right – it is quite a bit like junk mail. I think I’m quite lucky that my spam filters are generally very good – I only very occasionally get dodgy mail in my actual inbox, and that’s usually when a friend’s account has been hacked and mails get sent out to all their contacts.

Your point about changing an email address is interesting, though. I think if I woke up one morning and found I couldn’t use my email address *at all* I’d be completely at a loss – everything I do is done online, from banking and bills to almost all my communication with friends and family. I also have all postal addresses stored in my Google account, so that when I need to write a proper letter or send a birthday card I don’t have to ring people to find their addresses! Getting a new account wouldn’t be as hard or as complicated as moving house, but it would definitely put a halt to my life for quite a while, as I sorted everything out and changed all my details.

I think the chance of loosing complete access to one’s email account due to SPAM is rather remote. Moving contact details between accounts is not difficult and previous suggestions of having different email accounts for different activities is the way to go.

Help

M&S didn’t lose your personal data, so who did?

Make the companies pay?

Don’t talk to strangers

Search

Latest discussions

Take our community survey

Vote in our poll

Make the companies pay?

Don’t talk to strangers

Search

Latest discussions

Take our community survey

Vote in our poll

Join the debate

Related discussions