/ Shopping, Technology

M&S didn’t lose your personal data, so who did?

Business men with question marks

Some brands I trust, some brands I don’t. But what can we do when the brands who breach our trust are ones we’ve never heard of? I’m talking to you, Epsilon. It’s lost a number of brands’ customer details, including M&S.

Recently Dan Moore tried to explain why it’s not OK for companies to respond to a data breach by saying ‘oops’ – we need a lot more reassurance than that. But since then there’s been another huge data breach, and we’re still getting the same watered-down message.

People, such as our Twitter followers Lombear and SoElusive, have started receiving emails from Marks & Spencer, apologising for a breach at the company that handles some of their customer data. The company? Epsilon. Epsilon was targeted by hackers, who collected millions of names and email addresses from their clients.

Make the companies pay?

Last time we talked about this, a few people suggested that the best way to solve the problem was to financially punish the companies involved.

Louise told us that ‘as long as the cost of proper data control is high, but the cost of losing the data is low then companies will continue to adopt a “make do and mend” approach to data control.’ Dieseltaylor even suggested that ‘everyone who has their email addresses stolen by a hacking attack needs to be reimbursed say £10-25.’

Not everyone was so worried – Rarrar thinks that having your email data stolen is ‘probably a fact of life’ if you want to use some of the internet services on offer.

But my favourite comment came from Kenward, who has set up an email-forwarding system that lets him give a unique address to each company. This means he can identify where each spammer got his details from – clever, no?

Don’t talk to strangers

The thing that really bothers me in this case is that most of us hadn’t heard of Epsilon until they started losing data left, right and centre.

It’s not just M&S. Many US companies, such as Capital One, BestBuy and Citibank have been affected too. All of these are big household names, each asking customers to put their trust in a network of potentially unreliable suppliers.

We put our faith in these large brands, giving them our names, email addresses, and credit card details, only because they’ve spent years building up that trust. In the case of M&S, it’s a family name and an ethical brand to whom I don’t mind handing over my details.

But I’ve never heard of Epsilon – I don’t know if they are good or bad at handling data. So when they breach my trust, I need exactly the same reassurances that they are presumably giving to their clients. Epsilon will no doubt be grovelling to M&S right now, explaining what happened and why it won’t happen again – so why can’t I, the customer, have the same?

And while they’re at it, I wouldn’t mind if they followed Louise and Dieseltaylor’s suggestions too and threw in a bit of compensation.


“We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk. We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result.”

Thanks guys! I’ve just STOPPED all my spam (changed email address), so this will be most welcome. Spam, I miss you! (Though I get plenty at work, including a large quantity in French!)

I use a similar method in that every email address I give a company is unique. And now I can send the M&S and Mothercare ones straight into deleted items. One thing about this method is that you should not use just the name of the company ie mothercare@yourdomain.co.uk as that is a target for spammers (ie they send emails to mothercare@everydomain.co.uk). Best thing to do is use the name and another element – for example MOO – mothercareMOO@yourdomain.co.uk.

I received emails from both Mothercare and M&S yesterday regarding the Epsilon leak – and last month from play.com – The general tone of the emails is insulting as they inevitably say they take their data responsibilities seriously – They obviously don’t as they have farmed out the service to a supplier who passed their checks but who was vulnerable. They need to take this seriously and now and penalties are the way to go. The ICO is essentially useless – I have never received a response to a complaint made. Time for some robust legislation and for that to be followed up.

Simon says:
8 April 2011

You can do something similar to the suggestion above that mentions Mothercare using Gmail. Their system allows you to add anything you want after your username with a + sign, and the emails still get delivered to you.

So for example when you register with M&S you could put yourusername+mands@gmail.com, and it will be delivered to yourusername@gmail.com.

I wish I’d done this in the past, before M&S let my details get stolen.

That’s great advice – thanks Simon, I didn’t realise you could do this.

That’s better than nothing (and free), but unfortunately some spammers already know this, and when they see an email address matching the pattern X+Y@gmail.com they automatically convert it to X@gmail.com.

Its not that I was “not worried” about the loss of my email address but that I was resigned to it occurring !
Its the modern equivalent of having your name and address put on Junk mail mailing lists by companies selling their mailing lists or passing them on to “affiliated companies”.
However the good news is that its much easier to change or drop an email address than change your home address !

I think the chance of loosing complete access to one’s email account due to SPAM is rather remote. Moving contact details between accounts is not difficult and previous suggestions of having different email accounts for different activities is the way to go.