Epsilon issued a statement on Friday saying that its email system had been accessed without authorization on March 30 and that a subset of its clients' customer data had been exposed.
"The information that was obtained was limited to email addresses and/or customer names only," the company said. "A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."
The marketing company's clients include Ameriprise Financial, Best Buy, Brookstone, Capital One, Citi, Disney Destinations, Home Shopping Network, JP Morgan Chase, Kroger, LL Bean Visa Card, McKinsey & Company, New York & Company, Ritz-Carlton Rewards, TiVo, US Bank, and Walgreens, among others.
While the exposed data -- email addresses and customer names -- isn't as sensitive as credit card or social security numbers, Epsilon's clients have nonetheless notified their customers.
The risk is that an attacker could craft a more convincing malicious message by leveraging the knowledge of the target's actual relationships with affected businesses, according to security firm Rapid7.
Capital One, for instance, said it had been notified about the breach and urged customers to be wary of targeted phishing attacks.
"Customers are reminded to ignore emails asking for confidential account or log-in information and remember that familiar looking links in an email can redirect to a fraudulent site," the company said. "If you get an email that claims to be from us but you aren't sure, or you think it's suspicious, don't click any of the links."
Brookstone, JP Morgan Chase, and TiVo have issued similar warnings, and presumably other Epsilon clients have as well.