The breach, which keeps broadening in scope as more companies inform their customers, has thus far affected these top brands: TiVo, Walgreens, US Bank, Disney, JPMorgan Chase, Capital One, Citi, Home Shopping Network, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, and The College Board.
The notification emails each brand has been sending their customers is some version of the below.
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Techcrunch eventDisrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.San Francisco, CA | October 13-15, 2026Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
Epsilon is assuring its customers that “only” email addresses and customer names were revealed in the breach but that’s actually not so reassuring. The ability to target spam emails to specific people leaves those affected by the attacks more vulnerable to phishing scams. People are more likely to trust something that looks like legitimate, direct communication. Again: Put on your thinking cap before you give anyone sensitive information like a password or social security number online.
The world’s largest email marketing service, Epsilon sends 40 billion emails a year and manages the customer email database for 2,500 clients according to Security Week. It is currently investigating the incident according to its own announcement.
