Wally Bird

The compromised data shouldn't include CC information. Epsilon is a mass-mailer service, they'll have email addresses and probably names (first only ?) so the worst that's likely to happen is you get a phishing or infected e-mail.

I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.

Incidentally, ever notice the HHonors log-in page is not SSL ?

adventureadam

Anyone else surprised that there was nothing resembling an apology in this email?

Maybe it's for legal reasons, but it's weak. Yes, it's not Hilton's fault directly, it's just the company that they hired for this purpose...

Minneapolis

No bonus points?

cordelli

That's pretty funny. It is about as far from the reality of the relation between Epsilon and Hilton as one could possibly get.

Epsilon has access to way more than the email and first name. Way more.

phedre

What information? Home address? Financial? Phone #s?

sunil

A few years ago they used to run the most of the HHonors site, not sure if that's still the case but if so they do have access to more than just email. I do think the letter was a weak apology and probably the result of a legal review.

Bago'peanuts

Odd, because I received a notice from US Bank regarding this security breach but nothing from Hilton, and I've been a HH member long before I signed anything with US Bank.

cova

Just got the same notice from Marriott.

notquiteaff

Right, but these phishing emails are potentially a bit more dangerous for the average person, because the hackers not only got names and email addresses, but also the knowledge that the person has a certain account with XYZ and uses that email address with that merchant/bank/... So instead of sending people a vague email trying to get them to provide confidential information, the phishing emails now can address them by name and mention that they have a credit card account with Chase or whatnot. Will quite likely increase the success rate somewhat.

Does Hilton use them to send out emails containing, say, account information (statements?) that might include hhonors numbers?

No. When I visit it, it's

https://secure.hilton.com/en/hhonors/login/login.jhtml



Same here. US Bank was the first email on Friday. Since then I have received emails from Citi and Chase. No Hilton (yet).

a1bengal

Goy Hilton then Marriott now Walgreens and 2 others all the same letter different mailling addys hummm

milesmilesmiles

........and just got one from Target.......and TIVO

todd-r

This is a clear breach of their privacy policy, in particular:

Obviously appropriate measures were not taken or there never would have been the breach!

Sweet Willie

I used to offer 'breach insurance' to my clients when I was with a previous employer. While a number of breaches were due to employee stupidity (left laptop in plain sight in car while running into Starbucks in the morning, or a flashdrive that wasn't cleared properly), there were a number that were caused by 'professional' hackers on companies that had numerous safeguards in place. Breaches will happen and continue to happen, how a company responds is what will set a company apart and maintain the customer's trust.

sk3

Interesting, in agreement with Wally Bird, I've noticed for sometime that logging in to Hilton is with an unsecured URL. I've had bookmarked HH's homepage and that's where I've always logged in:
http://hhonors1.hilton.com/en_US/hh/home_index.do

The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.

FWIW the homepages for SPG.com and AA.com where I log in from are also NOT secured. notquiteaff - got a secure link for them?

Back on OT, I also received the email this afternoon but I'm not worried. If Epsilon was connected to my airline accounts I would be though - big time.

Sure my cc number is at Hilton, but I don't worry about that all. Being "robbed" by fraudulent cc usage is the one theft I wouldn't mind because I'm fully protected by the credit card's policy against fraud.

However, what I do worry about is ID Theft, having been a victim of it before. Someone had my name and SSN and was able to open a cell phone account which (not surprisingly) the thief never paid. They opened it under my name and SSN but with a different address so I never received any of the bills. It wasn't until it went to a collection agency who then tracked down my real address via my SSN that a notice was ever sent to me.

So the fact that airlines now have not only my name and address, but thanks to the Secure Flight policy, my DOB - if those accounts were breached ID thiefs would have a real leg up to wreak havoc with ones credit rating....

notquiteaff

FWIW, I get the secured Hilton Honors login page if I go to http://hhonors.com and click on My Account in the upper right-hand corner.

Similar for SPG - the login screen on the home page itself may not be secured (I didn't check if it actually posts to an Https URL though), but if you click on the login link, you get

https://www.starwoodhotels.com/prefe...t%2Findex.html

AA is left as an exercise to the reader