Alliance Data Provides Statement Surrounding Unauthorized Entry Incident at Epsilon Subsidiary

Investigation Continues to Confirm Compromise Limited to Email Addresses and Names; No Personal Identifiable Information (PII) Compromised

DALLAS, TEXAS - Alliance Data Systems Corporation (NYSE: ADS), parent company of Epsilon, yesterday reaffirmed Epsilon’s previous statement that the unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personal identifiable information (PII) was compromised, such as social security numbers, credit card numbers or account information. Epsilon is working with authorities and external experts to conduct a full investigation to identify those responsible for the incident while also implementing additional security protocols in its email operations.

Late last week, Epsilon detected that customer information of a subset of Epsilon’s email clients had been exposed by an unauthorized entry into its email system. The affected clients represent approximately 2% of Epsilon’s total client base. Since the discovery of the unauthorized entry, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised.

“We are extremely regretful that this incident has impacted a portion of Epsilon’s clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information,” said Bryan J. Kennedy, president of Epsilon. “We apologize for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers’ confidence.”

Epsilon is working with Federal authorities, as well as other outside forensics experts, to both investigate this matter and to ensure that any additional security safeguards needed will be promptly implemented. Within Epsilon, security protocols controlling access to the system have undergone a rigorous review, and access has been further restricted as the ongoing investigation continues.

“We fully recognize the impact this has had on our clients and their customers, and on behalf of the entire Alliance Data organization, we sincerely apologize,” said Ed Heffernan, chief executive officer, Alliance Data. “While we can’t reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets – their customers. Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency.”

Marketing campaigns were restarted as clients continue to receive further assurance regarding security. Epsilon’s email volumes are not expected to be significantly impacted.

The Company believes the greatest risk to Epsilon and Alliance Data is the potential loss of valued clients. Specifically, the Company’s number one priority over the near and long-term will be to ensure that Epsilon’s clients regain complete trust in the company’s operations. Epsilon has earned its premier provider status in the transactional-based micro-targeted marketing space, and is well positioned to retain it. All efforts will be made to reach out to those affected clients and provide whatever assistance is needed to preserve their business over the long term.

The Company expects this incident to have minimal if any impact on Alliance Data’s financial performance, guidance or overall positive outlook over the foreseeable future.

The Company urges all consumers to take appropriate precautions and be vigilant with regard to opening emails and/or accessing links sent by unknown sources.