Epsilon, the world’s largest provider of permission-based email marketing, has suffered a huge data breach. That means hackers may have swiped customer data belonging to the world’s biggest brands.

Epsilon sends more than 40 billion emails a year on behalf of 2,500 brands. Security Week said the breach has affected a number of those brands, including grocery retailer Kroger, TiVo, Marriott Rewards, Ritz-Carlton Rewards, US Bank, JPMorgan Chase, Capital One, Citi, McKinsey & Company, New York & Company, Brookstone, and Walgreens.

At first, the breach was believed to have affected only Kroger. But more and more companies have been confirming that they have had their data stolen as well. Epsilon builds and hosts customer databases for brands, making it a prime target for hackers. In many cases, the data lost is simply someone’s email address. But Security Week says that’s all that a hacker needs to try a targeted phishing attack against the customer, who will expect to have communication from these brands. You might, for instance, receive a message from Brookstone about a special offer addressed to your name. But it may be carrying a virus that exposes you to data theft if you simply open the email. These kinds of phishing attacks are likely to have a higher success rate.

Marriott Rewards and Ritz Carlton Rewards told SecurityWeek that their customer names, email addresses, and member point balances were exposed. Citi warned customers via Twitter about the incident. Epsilon disclosed the breach late Friday.

[image credit: alertsec]