I came to the same conclusion. it’s also telling that it’s Epsilon sending these notices on behalf of their clients…which is ironic since they are the ones with the compromised mailing system.
The numbers dont add up. Epsilons footnote would lead you to believe that data from 2 percent of Epsilons customers had been pilfered — but 2 percent of 2,500 is considerably fewer than the number of companies already identified with Krebss grassroots approach. The total number of stolen email addresses must be astronomical.Theres something else that doesnt smell right. Epsilon said, “The information that was obtained was limited to email addresses and/or customer names only.” Yet Scottrade hints that noncustomers — “others who have previously provided us with their contact information” — are also included.Epsilon is also mum on the question of whether the stolen data could be associated with a specific Epsilon customer. Having a list of 100,000 email addresses is one thing. Having a list of 100,000 valid email addresses from JPMorgan customers opens up an entirely different realm of possibilities.That raises yet another question. If zillions of email addresses were stolen, and the thief or thieves cant tell which Epsilon customer they came from, what is Epsilon doing, sitting on a big pool of undifferentiated email addresses and names?In a final bit of irony, those messages from Epsilons customers, warning consumers that their email addresses had been compromised — the messages from Citibank and Target and Eddie Bauer? It looks like all of them came from … you guessed it, Epsilon. After all, the customers dont have their own mailing lists.No doubt youve already advised your users about phishing a hundred times over. Now would be a good time to remind them.