Hackers behind what computer security experts believe could be the biggest data theft in US history may be planning to sell the information to cyber criminals for targeted scams.

And while the tens of millions of names and e-mail addresses swiped from online marketing firm Epsilon do not appear to have been used yet for cyber crime, the experts said it may just be a matter of time.Major US banks, hotels, retail outlets and other companies have been warning customers to be wary of fraudulent e-mails after Epsilon acknowledged last week that hackers had gained access to the Texas-based company’s e-mail system. Epsilon, which provides e-mail services for some 2,500 companies around the world, has said that customer data for about two per cent of its total clients was exposed in what it called an “unauthorised entry”.

Epsilon, which sends out over 40 billion e-mails a year, did not identify the firms whose customers’ names and e-mail addresses were taken but dozens of US companies have come forward over the past few days.

“It’s basically a who’s who from the retail and banking space,” said Nicholas Percoco, head of Trustwave’s SpiderLabs. “Some of the top brands in the world.”

They include Hilton and Marriott hotels, telecom giant Verizon, drugstore chain Walgreens, the Home Shopping Network and retailers Best Buy, Kroger, New York & Co. and Target.

Among the banking and financial firms that have notified customers of the breach are Citigroup, JPMorgan Chase, Capital One, US Bank, Barclays Bank of Delaware and Ameriprise Financial.

Security experts said the data theft at Epsilon could be the largest ever in terms of sheer volume, comparable to the exploits of Albert Gonzalez, one of the most prolific US commercial hackers ever.

Mr Gonzalez is serving 20 years in prison for stealing tens of millions of debit and credit card numbers from firms supporting major US retailers and financial institutions.

Mr Percoco said the Epsilon data theft may involve as many as 100 million unique e-mail addresses and “could end up being the largest breach ever of raw personal data, consumer data”.

Marian Merritt, internet safety advocate at Symantec, the maker of Norton anti-virus software, said data breaches occur frequently but “all indications are this could be the biggest one in history”.

It is unlikely to prove as damaging, however, as the Gonzalez scams.

“The good news is it’s just the names and the e-mail addresses and the affiliation of the company that you did business with,” said Joris Evers, a security expert at McAfee.

“It’s not your credit card number or your social security card number or your home address... information that could be more personal and used in more nefarious ways immediately,” Mr Evers said. “There’s a lot of work to do before you can convert this into cash.” The information stolen from Epsilon is more valuable because it links names and e-mail addresses with particular companies that an individual already has a trusted relationship with.

“They’ve got your name, not your user name, but your actual name, your e-mail address and brands that you regularly do business with and trust in an e-mail relationship,” Ms Merritt said.

“You’ve already identified yourself as willing to receive communications from those brands,” she said. “So the cybercriminals have pretty good information to use against you.”

Mr Evers said such information can be a “treasure trove” for cyber attackers because now they can start personally targeting individuals, a tactic known as “spear phishing.”

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.