5 Comments

Summary:

Updated. On Wednesday morning, the New York Times sent a number of emails urging customers to call a toll-free number to renew their subscriptions. They seem to have been sent by Epsilon Data Management, an email marketing firm which had a major data breach in March.

The spam email sent by the New York Times (click to enlarge)

The spam email sent by the New York Times (click to enlarge)

UPDATED. On Wednesday morning, I received an email from the New York Times asking me to reconsider my recent decision to cancel my home delivery subscription. The email included a toll-free number for me to call to renew my subscription at an “exclusive” discounted rate.

There is one big problem here: I’ve never had a home delivery subscription to the New York Times. And also, no one picked up when I called the toll-free number, which does not seem to be listed to the NYT.

Apparently, I’m not the only one who has received a bogus email. In Tweets sent Wednesday morning, New York Times spokesman Robert H. Christie answered scores of confused messages from customers by saying the emails are likely a “spam” issue and that the paper was looking into the problem.

A closer look at the email’s details (which can be accessed by clicking “show details” on Gmail) reveals that the email’s DomainKeys Identified Mail, or “DKIM” was not signed, which is an indication that the email may not be on the up-and-up. The message was also apparently sent by bfi0.com, a mail server that’s registered to Epsilon Data Management, division of Alliance Data Systems that manages email marketing campaigns. It’s still early to tell, but it looks like Epsilon has been contracted by the NYT to do its email marketing campaigns, and that Epsilon’s security has been compromised.

This wouldn’t be the first time a big email list run by Epsilon Data Management has been broken into by an unauthorized third party. Earlier this year, customer email lists belonging to JP Morgan Chase, TiVo and 38 other companies were affected when hackers broke into Epsilon’s systems and accessed names and email addresses. Epsilon sends more than 40 billion emails per year for dozens of big name clients in the worlds of finance, retail, hospitality and the like. More sensitive details such as credit card numbers were not accessed in that breach back in March, but an unauthorized third party posing as a company like JP Morgan could result in some customers fall victim to phishing attacks where they give up more personal or financial data.

We’ve reached out to the New York Times for comment on the spam issue and whether they contract their email campaigns to Epsilon Data; this post will be updated with any details we receive.

UPDATE, 1:00PM PT: NYT spokeswoman Eileen Murphy responded via email: “An email was sent earlier today from The New York Times in error. This email should have been sent to a very small number of subscribers, but instead was sent to a vast distribution list made up of people who had previously provided their email address to the New York Times. We regret the error.” I followed up asking whether the Times, Epsilon, or an unauthorized third party was responsible for the error; and Murphy responded that it was “an error on the part of the New York Times.” This, of course, contradicts the multitude of earlier messages sent by the New York Times communications department’s official Twitter account assuring readers that “The email was not sent from the New York Times.”

An earlier version of this story’s headline read “New York Times email list spammed in another apparent Epsilon Data breach.” This was changed once more information was received from the New York Times.

You’re subscribed! If you like, you can update your settings

  1. I got the spam email today, too and was never a home delivery Time subscriber. Thanks for the heads-up and keep us posted on what is learned.

  2. This is going to be a textbook case history of how not to handle a PR problem.

    1. I agree with you there, Ben. Lots of mixed messages out of the NYT today. I wonder how it’s really avoidable, though, in the age of Twitter and the like.

  3. You would think the digital team at the Grey Lady would understand how to approach this better. Guess everyone with a clue is off skiing.

  4. I am a current subscriber, I was surprised the nyt thought I cancelled, I assumed it was a confusion over my hold request for the holidays. Worst case I figured I was going to get 50% off for the next 16 weeks. Rats, I guess I won’t be getting that after all … Unless they want to apologize for spamming me.

Comments have been disabled for this post