IE 11 is not supported. For an optimal experience visit our site on another browser.

What is Epsilon, and why did it have your e-mail?

Before this weekend, you'd probably never heard of Epsilon Data Management. But the Texas-based marketing firm had almost certainly heard of you. 

In fact, the company behind the high-profile leak of data belonging to Best Buy, Target, The College Board, Walgreens and other big-name firms probably has an intimate relationship with you.  It says it holds information on 250 million worldwide consumers, and its company credo is to offer a "complete 360 degree view" of customers.  Getting a 360-degree of Epsilon is a bit harder.

"People are saying, 'Who is this company and why should they have my personal information?'" said Larry Ponemon, a privacy consultant who runs The Ponemon Institute.

They also might wonder why at least one company executive thinks Americans are overly prone to "indignation" about unwanted e-mails.

Epsilon does the dirty work of e-mail list management, upkeep and complaint interference for household brands around the world, including Disney, Capital One and Kroger.  Most consumers have no idea that Epsilon has their e-mail and name -- the e-mails generally appear to be from a retail firm with which the consumer has a business relationship. That relationship usually begins with a simple check box on a website or a form filled out during a retail store purchase, but it can last for years. Many consumers complained on Monday that they received warning notices about the e-mail leak from multiple companies. Some consumers might not have interacted with the firm for years before Epilson's database was stolen.

"Jerks at @RobertHalf kept my data on file 3 yrs. after I told them I NEVER wanted to work w/ them again. Now a hacker has my data. #Epsilon," complained one Twitter user on Monday.

Epsilon's servers churned out 40 billion e-mails last year and are capable of sending 15 million per second, according to the firm's website.  And at least one of the company's executives clearly doesn't appreciate when consumers get in the way.

'Trigger happy'

A big part of Epsilon's job is convincing Internet service providers that the e-mails it sends on behalf of brand-name companies aren't spam. Annoyed recipients will trigger consumer complaints and spam reporting, which can cause a red flag at an ISP and ultimately disrupt an e-mail campaign.

Tony Cheung, an Epsilon vice president based in China, lamented in a recent column on the firm's site about Americans' "indignation response" to unwanted e-mails.

"Few Chinese e-mail users actually click to unsubscribe unwanted inbound mails, in stark contrast to the far more trigger-happy Americans and Europeans," he wrote.

By most accounts, Epsilon takes pains to stay on the right side of the law and of spam filters, and frequently offers advice to retailers that sending unwanted e-mails is a bad idea.  The firm's e-mails include the usual opt-out mechanisms, and it prides itself on something it calls "Epsilon Data Hygiene," which helps keep e-mail and direct marketing lists up to date.

Behind the curtain

But Friday's data theft offers a rare window into the secretive world of consumer database collection and third-party marketing firms. It's a view that bothers Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.

"Most companies do not tell the consumer that we're taking your information and sharing it for purposes of fulfilling this need -- for example, e-mail marketing or handling of the account," he said.  "They are not really being transparent about it."

But nearly all companies do it; very few handle e-mail relationships in-house, said Dave Franklin, a Forrester analyst who studies electronic marketing.  Firms like Epsilon -- and competitors like Acxiom and Merkle -- offer far more than mere e-mail services.  Epsilon is part of Alliance Data Systems, which offers broad customer relationship management services, including transaction processing and analytics. That means Epsilon is capable of tracking e-mail response rates, mapping them to in-store purchase decisions and demographic information, and analyzing the data with a host of other advanced marketing tools.

"They help companies build a holistic view of consumers," said Franklin.  "From an e-mail point of view, they help companies communicate with hundreds of thousands of consumers in a way that is effective, and making sure the e-mail is actually delivered into their inboxes. ... They make sure things fall under desired communication."

In one example, Domino's Pizza bragged that it would be able to send customers much more relevant e-mails because of its relationship with Epsilon.

"Preferred pizza flavors, soft drink purchases, times to order, location and other targeted customer factors will be utilized by Epsilon to deliver personalized offers for Domino's Pizza," the firm said, announcing that it had begun using Epsilon's "DREAMmail" e-mail platform in Australia.

Of course, a well-timed coupon for pizza – perhaps sent on Sunday during halftime – is usually welcomed by most consumers.  On the other hand, if unwanted coupons arrive persistently, and an opt-out message isn't attached, it's unlikely consumers would find their way to Epsilon's opt-out page to eliminate communications from the firm.

Agressive aggregation

Epsilon started operations in 1969 but began ramping up its Internet marketing group in the middle of the last decade after being acquired by Alliance Data in 2004. Soon after, it spent nearly a billion dollars to acquire a series of smaller firms with large e-mail and marketing lists -- firms like Abacus (from DoubleClick for $465 million), CPC Associates (for $70 million), Bigfoot Interactive ($120 million in 2005) and DARTMail (also part of DoubleClick, for $90 million).

Epsilon doesn't send spam, said Franklin, the Forrester analyst.  "It works with blue chip companies, not with the unsavory stuff we see on the Internet."

That doesn't mean all its e-mails are welcome, but often Epsilon isn't the problem, he said.

"Sometimes it comes down to client pressure. They really should send out 200,000 e-mails, but it's the end of the quarter and they have a number to make so they send out 1 million because e-mail is cheap," he said.

There aren't many complaints about Epsilon spam e-mail online -- here's one concerning an unwanted Apple computer pitch in 1997 -- but most consumers wouldn't have any reason to file a complaint using Epsilon's name. That is, until they received notice that the firm had lost control of their e-mail addresses.

Epsilon's business is associating massive amounts of disparate, relevant data, but Franklin said he's spoken to company executives and is confident that only e-mail addresses and names were taken by the computer intruders.  He described the problems that could result from the stolen data as a nuisance more than anything else – an increase in phishing attacks, for example.

But Ponemon, the privacy expert, said the incident points to the cavalier attitude that data behemoths sometimes take with personal information.

"The data could have been encrypted, there's no reason it couldn't be, but it wasn't," Ponemon said.

Companies like Epsilon do their best to stay under the radar because once consumers pay attention, they begin making more demands on data collection firms.

"These kinds of data brokers operate in the shadows," Ponemon said. "Once they are visible, they have to operate to higher standard.  If you are going to complain about an e-mail, and don't realize a third party is sending that, to you it operates somewhere in outer space. You can't complain."

Indignance or arrogance?

An Epsilon vice president complaining that U.S. consumers are trigger happy or overly indignant about unwanted e-mail shows that the firm doesn't care enough about the consumers whose information it controls, Ponemon said. 

"It reveals an organizational culture. In their mind, we are worrying about nothing," he said, referring to unwanted e-mails. "This attitude involves such arrogance. ... I think it is a big deal."

Jessica Simon, head of Epsilon public relations, said the comments by the firm's vice president were "incredibly unrelated" to the e-mail theft incident, and referenced a study of consumer attitudes conducted in 2009.  She reiterated that only e-mail addresses and names were stolen, and said the incident only impacted 2 percent of its 2,500 clients. Not all of those clients use the firm's e-mail marketing tools, she added.

"We are pretty limited in what we can say but we are doing a thorough investigation," she said. 

Congress is currently considering its first major legislative effort surrounding privacy in more than a decade, as it studies a proposal to create a Do Not Track list for Web surfers and other ideas. None of them, however, would have prevented the Epsilon incident or would give consumers additional rights to deal with firms like Epsilon, Ponemon said.

Even proposals that would allow consumers to examine any of their personal information a company stores wouldn't help, because people often have no idea where their information is.

"I still think people don't understand the world of Internet marketing. They think they are dealing with a company, and it's this one to one relationship," he said. "They think, 'I give you my email because I know you.  I shop at Best Buy and I give them my email and it's OK. But I didn't really authorize a company I've never heard of to maintain my information.' I think people are surprised that once you give your information, you've lost control of it because you don't even know where to look for it."

For advice about the expected onslaught of spam coming as a result of this leak, read Helen Popkin's post.

Click here to follow Bob Sullivan on Facebook