2011: The Epsilon Data Breach: 60 Million Email Addresses Exposed

By The EmailCloud Team |
2011 Security Breach

In late March 2011, Epsilon Data Management — a company most people had never heard of — announced that it had suffered a data breach. Within days, the scope of the damage became clear: this wasn’t just a breach of one company’s customer list. Epsilon was the email marketing backbone for 2,500 brands, and the attackers had accessed subscriber data from approximately 75 of them. An estimated 60 million or more email addresses, along with associated names, had been stolen. It was the largest email-specific data breach in history at that time, and its ripple effects changed how the industry thought about data security.

Who Was Epsilon?

Most consumers had never heard of Epsilon, but the company had almost certainly sent them email. A subsidiary of Alliance Data Systems, Epsilon was one of the largest email service providers (ESPs) in the world, handling more than 40 billion emails per year for client companies. Its client list read like a who’s who of American commerce: Best Buy, JPMorgan Chase, Citibank, Capital One, Kroger, TiVo, Walgreens, US Bank, Barclays, Disney, Marriott, Ritz-Carlton, McKinsey, College Board, and dozens more.

These companies entrusted Epsilon with their most valuable marketing asset: their customer email lists. When Best Buy wanted to send a promotional email to its rewards members, Epsilon’s systems handled the send. When Chase wanted to notify customers about new products, Epsilon managed the campaign. This centralization of email data created enormous efficiency — and an enormously attractive target.

The Breach

The attack occurred in late March 2011. An unauthorized party gained access to Epsilon’s email systems and extracted customer names and email addresses from approximately 75 client companies. Epsilon disclosed the breach on April 1, 2011, and the notifications began rolling in.

Over the following days and weeks, consumers received a deluge of breach notification emails from companies they did business with. “Your email address may have been exposed in a security incident at a third-party email vendor…” The sheer volume of notifications — coming from Best Buy, Chase, Citi, and dozens of others — created confusion and alarm.

The breach appeared to be limited to names and email addresses. Epsilon stated that no other personal information (Social Security numbers, credit card numbers, account numbers) was compromised. Some observers noted that “just” email addresses and names might seem like a minor haul compared to financial data breaches. They were wrong.

Why “Just” Email Addresses Matter

An email address paired with a name, combined with knowledge of which brands the person does business with, is a phishing goldmine. Before the Epsilon breach, a phishing attacker sending a fake Chase email had to spray it to random addresses, hoping some recipients were actually Chase customers. After the breach, the attackers knew exactly who banked with Chase, who shopped at Best Buy, and who stayed at Marriott hotels.

This information made phishing attacks dramatically more convincing. A phishing email that says “Dear John, as a valued Chase customer, please verify your account” is far more persuasive when John actually is a Chase customer. The specificity of the stolen data turned mass-market phishing into something approaching targeted social engineering.

Security researchers warned that the stolen data would fuel phishing campaigns for years, and they were right. The Epsilon breach data was combined with other stolen datasets to create increasingly sophisticated and personalized phishing attacks throughout the 2010s.

The Cost

Estimating the total cost of the Epsilon breach was an exercise in stacking uncertainties. Direct costs included breach notification for tens of millions of affected individuals across 75 companies, security audits and system hardening at Epsilon, legal fees and regulatory compliance, and credit monitoring services offered to affected consumers.

Various security firms estimated the total cost at $225 million to $4 billion, with the wide range reflecting different assumptions about downstream fraud losses. The Ponemon Institute, which tracks breach costs, estimated the direct cost at approximately $225 million. But when factoring in the long-tail cost of phishing attacks enabled by the stolen data, brand damage, customer churn, and regulatory actions, some analysts placed the figure much higher.

Industry Impact

The Epsilon breach forced the email marketing industry to confront uncomfortable questions about data centralization and third-party risk. If one ESP could hold — and lose — email data for 2,500 brands, was the centralized model fundamentally flawed?

The breach accelerated several industry trends. Data encryption became standard practice at ESPs — Epsilon’s data had reportedly been stored without encryption, a practice that was disturbingly common in 2011. Access controls and segmentation improved — the fact that an attacker who breached one part of Epsilon’s system could access data for 75 different clients suggested inadequate data isolation. Third-party risk assessment became a serious discipline, as brands realized that their data security was only as strong as their weakest vendor. And breach notification laws, already evolving, gained momentum as legislators pointed to Epsilon as an example of why robust disclosure requirements were necessary.

Why It Matters

The Epsilon breach remains one of the most significant events in email marketing security history. It demonstrated that the email addresses in your subscriber list aren’t just marketing data — they’re personally identifiable information that can be weaponized. It showed that email service providers are high-value targets precisely because they centralize data from many brands. And it proved that “just” names and email addresses, when combined with knowledge of brand relationships, create real and lasting harm.

For email marketers today, the lesson is clear: the data your subscribers entrust to you is a responsibility, not just an asset. Protecting that data — through encryption, access controls, vendor vetting, and security best practices — isn’t just a compliance checkbox. It’s fundamental to the trust that makes email marketing work.

Make sure your own email security fundamentals are solid. Understanding authentication protocols like SPF, DKIM, and DMARC is the starting point — learn the full history in our authentication timeline.

The Epsilon Data Breach: 60 Million Email Addresses Exposed — Email History Timeline 2011

View on the Email History Timeline →

Infographic

Share this visual summary. Right-click to save.

The Epsilon Data Breach: 60 Million Email Addresses Exposed — visual summary and key facts infographic

Related Events

2013

Yahoo Breach: All 3 Billion Accounts Compromised

 2013

Business Email Compromise: The $50 Billion Email Scam

 2014

The Sony Pictures Hack: When Private Emails Became Public

 2016

The Podesta Phishing Attack That Changed an Election

Frequently Asked Questions

What was the Epsilon data breach?

In March 2011, Epsilon Data Management, one of the world's largest email marketing service providers, suffered a data breach that exposed customer email addresses and names from approximately 75 of its client companies, affecting an estimated 60 million or more individuals.

Which companies were affected by the Epsilon breach?

Major brands affected included Best Buy, JPMorgan Chase, Citibank, Capital One, Kroger, TiVo, Walgreens, US Bank, Barclays Bank, Disney, Marriott, and Ritz-Carlton, among dozens of others.

How much did the Epsilon breach cost?

Various estimates placed the total cost at $225 million to $4 billion when accounting for notification costs, security upgrades, brand damage, and the downstream cost of phishing attacks enabled by the stolen data.