Target Corp. has joined the list of retailers and bankers whose e-mail addresses were stolen by hackers over the weekend.
The retailer sent messages to customers Monday afternoon and evening warning them of the security breach at Epsilon, an Irving, Texas marketing company that works with some of the nation's biggest names in banking and retail.
Best Buy Co. Inc and U.S. Bancorp were also among victims of the attack.
"Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information," Target said in a statement Tuesday.
Analysts say the customer lists could allow hackers to craft plausible but phony e-mails, known as "phishing attacks," aimed at defrauding consumers or taking control of their computers.
"Now the criminals know more about you, and they can target you better," said Avivah Litan, a computer security analyst at research firm Gartner. She ranked the security breach as a 7.5 to 8 level disaster, on a scale where 10 is the worst, "because of what it could turn into."
The breach, one of the largest in history, exposes the risks of outsourcing customer communication to outside firms -- long a concern of privacy experts. Experts predict it could lead to fundamental changes in the way companies store and share personal information.
The stolen e-mails belong to customers of big banks, including Capital One Financial Corp., Ameriprise Financial Inc., Barclays Bank, U.S. Bancorp, Citigroup Inc., and J.P. Morgan Chase & Co. and customers of major retailers such as Target, Best Buy, Walgreen Co. and Kroger Co.
Also stolen were e-mail addresses of students using the College Board, a not-for-profit organization that runs the SATs, and customers of Walt Disney Co.'s travel subsidiary, Disney Destinations.
The first threat to consumers is that they might be flooded with unwanted spam messages. They also might be tricked into giving out passwords and user names that provide access to their bank accounts, enabling hackers to learn more about their personal lives.
Outright thefts from bank accounts are unlikely because in most cases a hacker wouldn't have enough information to conduct transactions. But consumers could be tricked into visiting bogus websites that download malicious software to a consumer's PC. It could record keystrokes or, in some cases, take over the computer without the consumer's knowledge.
Consumers can't prevent the authentic-looking but phony e-mails from arriving in their inboxes, but they can protect themselves by deleting e-mails that ask for personal information or provide a link to a website. "Be more skeptical than trusting," warned Jason Miller, manager of data and information security at computer security firm Shavlik Technologies of New Brighton.
Companies such as Epsilon store vast amounts of personal information from some of the world's largest companies, making them a highly attractive target for hackers. When their security systems are breached, the effect is magnified, because the client data spans multiple companies and sectors, privacy experts say. Hackers can then tie this information together to create a more complete profile of a person.
"These companies present a large, concentrated point of attack," said George Peabody, director of emerging technologies at Mercator Advisory Group in Maynard, Mass.
Often, hackers will wait years before using stolen information, knowing that people will not remember the initial data breach, said Paul Stephens, director of privacy and advocacy at the Privacy Rights Clearinghouse in San Diego. "There is a real tendency to forget these things, but the information that's stolen is out there forever."
However, the Epsilon data breach will not be forgotten so easily, experts predict. Already, millions of people have received e-mail warnings from banks and retailers urging them to avoid replying to e-mails asking for personal information.
Best Buy urged its affected customers to "be very cautious" when opening links or attachments in e-mails from unknown senders, while J.P. Morgan recommended that customers not use their e-mail addresses as a login ID or password to access bank account information. A U.S. Bancorp spokesman said the Minneapolis-based bank has suspended all marketing and e-mail programs through Epsilon for an indefinite period.
Epsilon, a subsidiary of Alliance Data Systems Corp. of Plano, Texas, describes itself as "the world's largest permission-based e-mail marketing provider." The firm sends out 40 billion e-mails a year and boasts 2,200 clients.
Epsilon refused to disclose all the names of the companies affected by the security breach, or the numbers of people affected. The firm's spokeswoman also declined to discuss the cause of the breach.
The breach is so large that it could have a lasting impact on consumer trust in e-mail notices. Chris Douglas, a project manager in Spring Park, Minn., said he received e-mail notifications of the security breach from three companies: U.S. Bancorp, Best Buy and Ameriprise.
Douglas said he has already moved to close his membership in Best Buy's Reward Zone loyalty program, because he believes the firm violated a promise not to share his personal information. "I know this is shutting the proverbial barn door after the horse got out," he said. "But it seems to be one of the few things within my control."
Richard Crone, the chief executive of a bank technology consulting firm in San Carlos, Calif., predicts the breach will reduce the response rate to e-mail solicitations by 30 to 50 percent in the coming year. "We just turned a marketing freeway into a dirt road with potholes," Crone said. "It will slow down e-mail marketing efforts significantly."
Staff Writer Jackie Crosby contributed to this story.
Chris Serres • 612-673-4308 Steve Alexander • 612-673-4553