Marks & Spencer customers have been warned that their names and email addresses may have been exposed in the Epsilon data breach.
Marks & Spencer (M&S), a UK retail and financial services company, started sending out letters on Tuesday to warn customers that they may receive spam.
"We would like to reassure you that the only information that may have been accessed is your name and email address," the letter said. "No other personal information, such as your account details, has been accessed or is at risk. We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result."
Marks & Spencer requires customers to set up an account to order products online. The company said on Wednesday it used marketing services from Epsilon, a US-based email marketing company, and that customer details had been compromised in the recent Epsilon breach.
"Epsilon, our email marketing supplier, has informed us that a number of its clients files have been accessed without authorisation, including Marks & Spencer," said the company in a statement. "The files were limited to names and email addresses and no other personal or financial information is at risk. We have contacted our customers to inform them of this incident."
Epsilon said in a statement on Friday that its systems had been hacked and email marketing lists had been stolen. A number of Epsilon's corporate customers issued their own warnings, including financial institutions Morgan Chase, Capital One Financial, and US Bank. Epsilon updated the statement on Monday to say that two percent of its customers — around 50 companies — had been affected.
A M&S spokeswoman said on Wednesday that commercial confidentiality made it impossible to disclose how many customers had been sent a warning, and that no decision had been made on the future of its relationship with the marketing company.
"There is an ongoing investigation at Epsilon," the spokeswoman said. "We are currently working with them, and we'll make a decision based on that investigation."
Companies that have sent out breach notifications include Barclays' US credit card arm, Barclays Bank of Delaware, according to security blogger Brian Krebs.
Barclays told ZDNet UK on Wednesday that no UK customers had been affected.
Dell Australia customer details were also compromised, according to The Australian. Dell EMEA said that UK customers had not been affected.
This personal information could be used to create more personalised and better targeted phishing attacks. So what? These sorts of breaches happen all the time, and more personal information is stolen.– Bruce Schneier, BT security chief
"Every indication that we have is that it's limited to Australia," a Dell spokeswoman told ZDNet UK. "We were informed by Epsilon that Australian consumers and SMBs [small to medium-businesses] were affected."
Bruce Schneier, BT's chief security technology officer, said customers of affected companies may be open to targeted attacks through profiling, but down-played the attack on Epsilon's systems.
"Yes, millions of names and email addresses might have been stolen," said Schneier in a blog post on Tuesday. "Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalised and better targeted phishing attacks. So what? These sorts of breaches happen all the time, and even more personal information is stolen."
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.