Update: New York Times email list spammed — by the New York Times

The spam email sent by the New York Times (click to enlarge)

UPDATED. On Wednesday morning, I received an email from the New York Times asking me to reconsider my recent decision to cancel my home delivery subscription. The email included a toll-free number for me to call to renew my subscription at an “exclusive” discounted rate.
There is one big problem here: I’ve never had a home delivery subscription to the New York Times. And also, no one picked up when I called the toll-free number, which does not seem to be listed to the NYT.
Apparently, I’m not the only one who has received a bogus email. In Tweets sent Wednesday morning, New York Times spokesman Robert H. Christie answered scores of confused messages from customers by saying the emails are likely a “spam” issue and that the paper was looking into the problem.
A closer look at the email’s details (which can be accessed by clicking “show details” on Gmail) reveals that the email’s DomainKeys Identified Mail, or “DKIM” was not signed, which is an indication that the email may not be on the up-and-up. The message was also apparently sent by bfi0.com, a mail server that’s registered to Epsilon Data Management, division of Alliance Data Systems that manages email marketing campaigns. It’s still early to tell, but it looks like Epsilon has been contracted by the NYT to do its email marketing campaigns, and that Epsilon’s security has been compromised.
This wouldn’t be the first time a big email list run by Epsilon Data Management has been broken into by an unauthorized third party. Earlier this year, customer email lists belonging to JP Morgan Chase, TiVo and 38 other companies were affected when hackers broke into Epsilon’s systems and accessed names and email addresses. Epsilon sends more than 40 billion emails per year for dozens of big name clients in the worlds of finance, retail, hospitality and the like. More sensitive details such as credit card numbers were not accessed in that breach back in March, but an unauthorized third party posing as a company like JP Morgan could result in some customers fall victim to phishing attacks where they give up more personal or financial data.
We’ve reached out to the New York Times for comment on the spam issue and whether they contract their email campaigns to Epsilon Data; this post will be updated with any details we receive.
UPDATE, 1:00PM PT: NYT spokeswoman Eileen Murphy responded via email: “An email was sent earlier today from The New York Times in error. This email should have been sent to a very small number of subscribers, but instead was sent to a vast distribution list made up of people who had previously provided their email address to the New York Times. We regret the error.” I followed up asking whether the Times, Epsilon, or an unauthorized third party was responsible for the error; and Murphy responded that it was “an error on the part of the New York Times.” This, of course, contradicts the multitude of earlier messages sent by the New York Times communications department’s official Twitter account assuring readers that “The email was not sent from the New York Times.”
An earlier version of this story’s headline read “New York Times email list spammed in another apparent Epsilon Data breach.” This was changed once more information was received from the New York Times.