Customers of JPMorgan Chase (NYSE: JPM), Citigroup (NYSE: C), Capital One (NYSE: COF), and US Bancorp (NYSE: USB) May Have E-Mail Addresses Hacked

Customers of some of the nation’s largest companies, including many of the nation’s largest banks, may begin to receive a flood of unwelcome mail due to a security breach at a national third-party email fulfillment company.

JPMorgan Chase (JPM), Citigroup Inc. (C), US Bancorp (USB) were among the companies that were reporting that some of their customers name and e-mail addresses were accessed. Capital One Financial, Inc. (COF) was also on the list. 

Reuters, among others, is reporting that Epsilon, an online marketing unit of Alliance Data Systems Corp (ADS.N), had some of its clients’ customer files hacked into on Friday.

In a media statement from Epsilon, the company said, “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s e-mail system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

Epsilon sends more than 40 billion e-mail ads and offers annually, usually to people who register for a company’s website or who give their e-mail addresses while shopping.

Law enforcement authorities are investigating the breach, though it was unclear on Sunday how many customers had been exposed. Epsilon is also investigating what went wrong.

“While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else,” said Epsilon spokeswoman Jessica Simon. “We can’t confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time.”

The first reaction to news like this is to be skeptical. However in the interest of full disclosure, I can tell you that on Sunday morning, I received an email from one of the banks that I have business with that alerted me that my name and e-mail address was obtained because of the breach.