Marks and Spencer has been revealed as one of the approximately 50 companies that have been affected by a major security breach at email service provider Epsilon Interactive.
The attack caused the retailer to warn its online customers of a potential increase in spam email after their details were stolen from Epsilon.
Epsilon first warned of the incident Friday, saying that someone had got into company systems and obtained e-mail addresses and names belonging to some of its customers. It said that around 2 percent of its 2,500 clients were at risk, and the list of companies includes Barclays Bank, Citibank, Hilton Worldwide and Marriott International.
A spokesperson for Marks & Spencer said: “Epsilon, our email marketing supplier, has informed us that a number of its clients' files have been accessed without authorisation, including Marks & Spencer.
“The files were limited to names and email addresses and no other personal or financial information is at risk. We have contacted our customers to inform them of this incident.”
Companies hire Epsilon to send out a total of more than 40 billion messages on their behalf each year.
With millions of addresses thought to have been stolen, the problem may be worse than many people realise, security experts said Monday.
That's because once scammers know their victims' names and e-mail addresses, along with the companies that they do business with, they can craft very targeted "spear-phishing" e-mail attacks that try to trick victims into revealing more sensitive information such as passwords or account numbers.
"Everybody is downplaying it by saying, 'at least they didn't get financial information.' Well that's true, but what they did get was enough to potentially get financial information [in a phishing attack]," said Neil Schwartzman, executive director with the Coalition Against Unsolicited Commercial Email, a consumer advocacy group based in Montreal.