Target Spams Email Appended List with Data Breach Notice

U.S.-based retailer Target, which recently suffered a massive data breach, has responded to that breach by hiring an email appender to append scraped email addresses (some of them closed for over a decade) to their customer list. Target then spammed that appended list over the past few days. The ESP is Epsilon, via its subsidiary Bigfoot Interactive.

I was traveling, but Laura Atkins at Word to the Wise blogged about her experience receiving this email. Several antispammers that I know reported seeing the spam in their spamtrap collections as well. After I got home, I checked my spamtrap collection, and found about a dozen spams to my own spamtraps after searching for spam sent from only one IP on one day (January 17).

Spamming an email appended list just to advertise products or services is bad enough. Email appending is one of the dirtiest spam practices that is not outright criminal. Spamming an appended list after cybercriminals stole your customer database, however, is an epic fail. Surely Target understood that cybercriminals will send phish emails to those email addresses? Surely Target understood that their emails would be taken for criminal phish by many customers, who would have deleted unread any email that claimed to come from Target? Apparently Target’s decisionmakers did NOT understand these simple facts that any remotely intelligent, non-technical Internet user knew without having to think further about it?

I would very much like to know what Epsilon was thinking to allow a customer to email an appended list from their IP ranges. Were they unaware that Target had hired an email appender?

While this situation shakes out, I have a recommendation. First, if you ever shopped at Target and used a credit or debit card that you still have, you should request a new card with a new number from your bank, credit union or financial institution. Second, if you must shop at Target in the future, shop in a physical store only (not at Target.com) and use cash to avoid giving Target your private information.

Sending IP: 206.132.3.176

Spam Sample:

Actual Headers:

Received: from bigfootinteractive.com (arm176.bigfootinteractive.com [206.132.3.176])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Thu, 16 Jan 2014 16:##:## +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; d=target.bfi0.com; s=ei; c=simple/simple;
        q=dns/txt; i=@target.bfi0.com; t=<xxx>;
        h=From:Subject:Date:To:MIME-Version:Content-Type;
        bh=<xxx>=;
        b=<xxx>=;
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
        s=ei; d=target.bfi0.com;
        h=Received:Reply-To:Bounces_to:Message-ID:X-SS:X-BFI:Date:From:Subject:To:MIME-Version:Content-Type;
        b=<xxx>=
Received: from [192.168.##.##] ([192.168.##.##:##] helo=<xxx>)
        by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@target.bfi0.com>)
        (ecelerity 2.2.2.45 r(34222M)) with ESMTP
        id <xxx>; Thu, 16 Jan 2014 11:##:## -0500
Reply-To: =?iso-8859-1?B?<xxx>?= <<xxx>@target.bfi0.com>
Bounces_to: Bounce.<xxx>@target.bfi0.com
Message-ID: <<xxx>@target.bfi0.com>
X-SS: <xxx>
X-BFI: <xxx>
Date: Thu, 16 Jan 2014 11:##:## EST
From: =?iso-8859-1?B?<xxx>==?= <TargetNews@target.bfi0.com>
Subject: Important message from Target to our guests
To: <xxx>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="<xxx>"

Readable Email:

From: Target.com <TargetNews@target.bfi0.com>
To: <spamtrap>
Subject: Important message from Target to our guests
Reply-To: <<xxx>@target.bfi0.com

Dear Target Guest,

As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian\222s® ProtectMyID® product activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.

<removed>

Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.

Gregg Steinhafel
Chairman, President and CEO

5 Responses to Target Spams Email Appended List with Data Breach Notice

  1. Epsilon are more than likely the source of the ePend file, so yeah, they are probably aware of it.

  2. Could be. Somebody sent me this link in a private email:

    https://twitter.com/AskTarget/status/424243725221785600

    Steve Atkins, the husband of Laura Atkins and co-blogger on Word to the Wise, points out that they were spammed at an email address that they gave to Amazon. If Amazon had some sort of partnering arrangement with Target, that might account for some (or even all) of the bad email addresses on Target’s list without an email appender being involved. However, the email was spam in any event. :/

    • Target.com used to be handled through Amazon. In particular, here’s a randomly googled article from 2009 talking about how Target planned to move their own e-commerce setup by 2011 instead of using Amazon.

      So if Steve and Laura Atkins always used tagged email addresses when signing up for sites (say, atkins+sitename@example.com), and they ordered something from Target.com 5 or 6 years ago, it seems likely that the order would have been processed using their Amazon account (atkins+amazon@example.com), and it would be fairly reasonable for Amazon to pass along that information to Target.

      Now I can’t say for sure that’s what happened — maybe they never ordered from Target.com — but it’s at least a reasonable possibility. And if it is the case, then it’s possible that the email address was part of the data breech (the second announced breech — not the point-of-sale/CC# breech). I’d consider a single notification email to a compromised address to not be spam, though Target still deserves criticism for the events leading up to the breech.

      • As mentioned in my comment over at Word to the Wise blog, the tagged address I received the Target notice was for an address given ONLY to Amazon and used for Amazon account/purcahses. It was not an address that I used when Target used Amazon backend services for fufillment prior to 2009ish. I had a Target tagged address for that.

        I received two notices. One to the Target tagged address back in December and one to the Amazon address last week.

        About the only thing that might tie these addresses together via your big-data “create a phatom profile for everyone, even if they are not a customer…yet” would be the domain name, shipping addresses, and credit card numbers. (“Real Name” profile data like first and last name are probably similar enough to match on, too.)

        • On further though (and with further information), I’m convinced that whatever Target did wrong (a whole boatload of stuff), they did not hire an email appender. They simply thought that a data breach justified blasting out a bulk emailed warning to a boatload of old email addresses that had only a marginal connection with them. They did not necessarily have permission to send bulk email to many of those email addresses, but they don’t appear to have bought them from Jigsaw or Walter Karl (or somebody selling a Millionez CD). :/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top