Chase Bank: Including Customer Information in Marketing Email Sent to Spamtraps

Months after I first blogged about Chase Bank sending marketing emails to an email address that had been closed for many years via Acxiom Digital, and after I added a comment to that blog indicating that Chase was sending marketing emails to a different email address via Epsilon Interactive (Bigfoot Interactive), this second email address is *still* receiving the same bulk emails. Worse, they STILL contain the customer’s name and the last four digits of the customer’s credit card number, although the customer has not owned this email address for years!

Both Acxiom Digital and Epsilon were warned about this a while ago. Acxiom Digital contacted me about the issue, and appears to have dealt with it; at least, no more emails to that email address have been sent. Epsilon did not contact me, and also does not appear to have changed anything despite knowing (or at least having been notified) that at least one email address on their list for Chase was a spamtrap.

This email is spam, of course; sending email to a years-dead email address that rejected all email for over twelve consecutive months is an indication of a poorly managed bulk email list. However, the real issue with it is not the spam. It is that customer information is being leaked to unknown individuals because Chase either did not check to see that email addresses that it has actually belong to its customers, or for an extended period did not pay attention to which emails were rejected, showing that the email address was no longer valid. I was once a Chase customer. I am VERY glad that I am no longer a Chase customer. :/

Sending IP: 206.132.3.142

Spam Sample:

Actual Headers:

Received: from bigfootinteractive.com (arm142.bigfootinteractive.com [206.132.3.142])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Fri,  6 Jan 2012 15:xx:xx -0600 (CST)
DKIM-Signature: <xxx>
DomainKey-Signature: <xxx>
Received: from [192.168.xx.xx] ([192.168.xx.xx:xx] helo=<xxx>)
        by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@email.chase.com>)
        (ecelerity 2.2.2.45 r(34222M)) with ESMTP
        id <xxx>; Fri, 06 Jan 2012 16:xx:xx -0500
Reply-To: "Chase" <<xxx>@email.chase.com>
Bounces_to: chase.<xxx>@email.chase.com
Message-ID: <<xxx>.DumpShot.<xxx>@email.chase.com>
X-SS: <xxx>
X-BFI: <xxx>
Date: Fri, 06 Jan 2012 16:xx:xx EST
From: Chase Card Services <Chase@email.chase.com>
Subject: Balance Transfer Offer from Chase
To: <xxx>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="<xxx>"

Readable Email:

From: Chase Card Services <Chase@email.chase.com>
To: <spamtrap>
Subject: Balance Transfer Offer from Chase
Reply-To: Chase <<xxx>@email.chase.com>

Start saving with Chase Freedom(R). Make a balance transfer now. Please click below or copy and paste the link below into your browser:

http://email.chase.com/<xxx>

SAVING IS SIMPLE WITH A GREAT RATE.
—————————————————————–
0.00%
Through your billing cycle that ends in March 2013(*)

<removed>

EMAIL SECURITY INFORMATION

E-mail intended for: <CUSTOMER NAME REMOVED>.
For your account ending in: <LAST FOUR DIGITS OF CARD # REMOVED>.

If you are concerned about the authenticity of this message,please click below or copy and paste the link below into your browser:

http://email.chase.com/<xxx>

Or call the phone number on the back of your credit card and
reference the Chase Library Code: <xxx>.

<removed>

If you wish to unsubscribe from e-mail promotional messages from Chase Card Services, please click here.:

http://email.chase.com/<xxx>

Please note that you will continue to receive service-related email messages that directly concern your existing Chase products and services. Please allow up to ten business days for us to process your request.

If you want to contact Chase, please do not reply to this message, but instead go to:

http://email.chase.com/<xxx>

For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy – please click below or copy and paste the link below into your browser:

http://email.chase.com/<xxx>

To request in writing:
Chase Privacy Operations
PO Box 659752
San Antonio, Texas 78265-9752

(C)2012 JPMorgan Chase & Co.

6 Responses to Chase Bank: Including Customer Information in Marketing Email Sent to Spamtraps

  1. heh.. they actually have the nerve to say “Your personal information is protected by state-of-the-art technology.”

    AFAIK the Office of the Comptroller of Currency is the regulator for JPMorgan Chase Bank, NA.. Might be worthwhile letting the OCC know that a financial institution under its jurisdiction is spewing out customer PII. (or might be an exercise in futility, IDK… but IMHO only one way to find out for sure;)

  2. Chase is in New York (has been since 1799 in one form or another, apparently), and the OCC does appear to be a federal U.S. institution.

  3. I believe that I am going to launch a complaint with the Office of the Comptroller of Currency. Chase is still sending marketing emails to this spamtrap address. I have no indication that they or their ESP are doing anything about this.

    My mother worked for a bank in the 1970s and 1980s. The bank that she worked for at that time would have been horrified to find that they had outdated contact information and had sent any sort of information about the customer to the wrong address or person. Local banks and credit unions in the United States still seem to have the same sort of ethic. Not Chase, not Citi, and not Bank of America, judging from what I have seen in my spamtrap emails over the past year. 🙁

  4. Pingback: Chase Bank: Sending Transactional Email to a Spamtrap » MainSleaze

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top