As reported previously, Tuesday night saw M&S emailing customers on its email marketing database to advise them their names and email addresses have been compromised in the Epsilon data breach in the US.
Digital marketing giant Epsilon had issued a terse press statement late last Friday, advising that its database system had been breached.
Around 50 companies - mainly big brand names in the US - have been affected by the database hack, but now it appears that M&S and Mothercare are two more UK names to add to the list.
In carefully worded email sent late yesterday to its email subscriber base, Mothercare said: "We have been informed by Epsilon, a company we use to send emails to our customers, that some Mothercare customer email addresses have been accessed without authorisation."
"We are among several companies affected by this data breach. Epsilon stressed that the only information accessed was names and email addresses; they confirmed that no other personal information, such as your account details, has been affected or is at risk."
"The most likely impact, if any, could be receipt of spam emails. As a precaution we would like to remind you to only open emails from senders you know and not to share personal information via email."
"We apologise for any inconvenience this may cause you. We take your privacy very seriously and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorised access."
Commenting on the involvement of UK firms in the Epsilon data breach saga, Amichai Shulman, CTO of data security specialist Imperva, said that - a week after the US database breach - the ripple effect is starting to be felt here in the UK.
“In fact, this breach is shaping up to be one of the biggest this year, and possibly to date as more victims come out of the shallows”, he said.
“As Epsilon sends out more than 40 billion email ads annually, there is a strong possibility that you may have received a [marketing] email [from Epsilon’s servers] recently”, he added.
The key question, says Shulman, is what can a hacker actually do with such information?
Correlating the information in the different lists, he claims, opens up the opportunity for ‘spear-phishing’ campaigns - emails that target specific individuals.
“To fool the recipient into believing they’re legitimate, they will contain personal details that only an individual [that is] familiar - or conducting business - with the victim should know”, he said.
“Having cross referenced the two lists, the hacker can target them with an email, purporting to come from M&S, offering promotions on its baby-care items if the customer signs up for the service”, he added.
The net result, says Shulman, is that the customer is deceived, clicks on the link to register and, as part of the process, is asked to provide additional information such as a credit card number.
“Hey presto - the hacker now has more than just an email address”, he said.