Chase Bank: Including Customer Information in Marketing Email Sent to Spamtraps
Months after I first blogged about Chase Bank sending marketing emails to an email address that had been closed for many years via Acxiom Digital, and after I added a comment to that blog indicating that Chase was sending marketing emails to a different email address via Epsilon Interactive (Bigfoot Interactive), this second email address is *still* receiving the same bulk emails. Worse, they STILL contain the customer’s name and the last four digits of the customer’s credit card number, although the customer has not owned this email address for years!
Both Acxiom Digital and Epsilon were warned about this a while ago. Acxiom Digital contacted me about the issue, and appears to have dealt with it; at least, no more emails to that email address have been sent. Epsilon did not contact me, and also does not appear to have changed anything despite knowing (or at least having been notified) that at least one email address on their list for Chase was a spamtrap.
This email is spam, of course; sending email to a years-dead email address that rejected all email for over twelve consecutive months is an indication of a poorly managed bulk email list. However, the real issue with it is not the spam. It is that customer information is being leaked to unknown individuals because Chase either did not check to see that email addresses that it has actually belong to its customers, or for an extended period did not pay attention to which emails were rejected, showing that the email address was no longer valid. I was once a Chase customer. I am VERY glad that I am no longer a Chase customer. :/
Sending IP: 206.132.3.142
Spam Sample:
Actual Headers:
Received: from bigfootinteractive.com (arm142.bigfootinteractive.com [206.132.3.142]) by <xxx> (Postfix) with ESMTP id <xxx> for <xxx>; Fri, 6 Jan 2012 15:xx:xx -0600 (CST) DKIM-Signature: <xxx> DomainKey-Signature: <xxx> Received: from [192.168.xx.xx] ([192.168.xx.xx:xx] helo=<xxx>) by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@email.chase.com>) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id <xxx>; Fri, 06 Jan 2012 16:xx:xx -0500 Reply-To: "Chase" <<xxx>@email.chase.com> Bounces_to: chase.<xxx>@email.chase.com Message-ID: <<xxx>.DumpShot.<xxx>@email.chase.com> X-SS: <xxx> X-BFI: <xxx> Date: Fri, 06 Jan 2012 16:xx:xx EST From: Chase Card Services <Chase@email.chase.com> Subject: Balance Transfer Offer from Chase To: <xxx> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="<xxx>"
Readable Email:
From: Chase Card Services <Chase@email.chase.com>
To: <spamtrap>
Subject: Balance Transfer Offer from Chase
Reply-To: Chase <<xxx>@email.chase.com>
Start saving with Chase Freedom(R). Make a balance transfer now. Please click below or copy and paste the link below into your browser:
http://email.chase.com/<xxx>
SAVING IS SIMPLE WITH A GREAT RATE.
—————————————————————–
0.00%
Through your billing cycle that ends in March 2013(*)
<removed>
EMAIL SECURITY INFORMATION
E-mail intended for: <CUSTOMER NAME REMOVED>.
For your account ending in: <LAST FOUR DIGITS OF CARD # REMOVED>.
If you are concerned about the authenticity of this message,please click below or copy and paste the link below into your browser:
http://email.chase.com/<xxx>
Or call the phone number on the back of your credit card and
reference the Chase Library Code: <xxx>.
<removed>
If you wish to unsubscribe from e-mail promotional messages from Chase Card Services, please click here.:
http://email.chase.com/<xxx>
Please note that you will continue to receive service-related email messages that directly concern your existing Chase products and services. Please allow up to ten business days for us to process your request.
If you want to contact Chase, please do not reply to this message, but instead go to:
http://email.chase.com/<xxx>
For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.
Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy – please click below or copy and paste the link below into your browser:
http://email.chase.com/<xxx>
To request in writing:
Chase Privacy Operations
PO Box 659752
San Antonio, Texas 78265-9752
(C)2012 JPMorgan Chase & Co.
Pingback: Chase Bank: Sending Transactional Email to a Spamtrap » MainSleaze