Consumers warned on e-mails after data attack

Epsilon, based in Dallas, said yesterday that it has “launched a full investigation’’ of the security breach, which gave hackers access to the names and e-mail addresses of customers of its corporate clients. Millions of customers of thousands of companies could be affected.

“Because of this breach, consumers should be especially vigilant in dealing with e-mail messages,’’ said Richard E. Mackey Jr., vice president of consulting at SystemExperts Corp. in Sudbury, which advises companies on security.

Although the compromised files do not include such sensitive information as Social Security information, bank account numbers, or credit card information, there are still dangers.

The main one, Mackey said, is “targeted phishing attacks,’’ in which hackers try to impersonate legitimate communications from companies in an attempt to get more valuable information, like credit card numbers or passwords to online accounts.

Hackers with names and cus tomer e-mail lists are better able to focus their scams, Mackey said, because they know their target’s name and that the target is a customer of a specific company.

Many customers of Epsilon’s clients received e-mails from affected businesses over the weekend, advising caution regarding their personal e-mail accounts. Epsilon spokeswoman Jessica Simon would not comment further yesterday on the cause or means of the attack.

Best Buy issued a consumer alert that was typical of the kind of messages that millions of people are finding in their electronic mailboxes, warning customers to be suspicious of unusual e-mail messages. Best Buy’s chief marketing officer assured recipients that “the only information that may have been obtained was your e-mail address,’’ and added, “If you receive an e-mail asking for personal information, delete it. It did not come from Best Buy.’’

Carolyn Beem, manager of public affairs at L.L. Bean in Freeport, Maine, said the company was notified on Friday that someone “unauthorized’’ had gained access to information about customers who have Bean’s Visa credit card that is managed by Barclays Bank of Delaware.

Barclays sent e-mails to its customers warning of the breach, but assured them that their credit card numbers are safe.

“We quickly posted the letter from Barclays, and put a notice on the front page of our website. We also created an information page for customers,’’ Beem said yesterday.

“We’ve been emphasizing that no personal information, other than names and e-mail addresses, has been accessed,’’ Beem said, “although we realize that doesn’t make this any less disquieting. We’re continuing to monitor the situation very closely.’’

It was difficult yesterday to judge the scale of the breach. But according to the Internet security trade publication SecurityWeek, Epsilon sends out more than 40 billion e-mails annually for more than 2,500 clients, including such well-known names as Walgreen Co., Capital One Financial Corp., and The Walt Disney Co.

Mackey, of SystemExperts, said the kind of breach that happened at Epsilon happens on a smaller scale “hundreds of times a year.’’

“It’s so common that we advise companies that they should prepare for an eventual compromise,’’ he said. “There are just so many vulnerabilities.’’

Sometimes, Mackey said, hackers target a company site; on other occasions, they stumble upon openings and take advantage of them. Innocent accidents, like a lost laptop or a database file mailed to the wrong address, can compromise data.

“The best strategy is to always be careful, because sometimes the companies you deal with do not even know their data has been accessed by hackers,’’ Mackey said. “And when a company tells you they’ve been hacked, that’s when you should be extra careful.’’

D.C. Denison can be reached at denison@globe.com.