WASHINGTON: Hackers behind what computer security experts believe could be the biggest data theft in US history may be planning to sell the information to cyber criminals for targeted scams.

And while the tens of millions of names and email addresses swiped from online marketing firm Epsilon do not appear to have been used yet for cyber crime, experts said it may just be a matter of time.

Major US banks, hotels, retail outlets and other companies have been warning customers to be wary of fraudulent emails after Epsilon acknowledged last week that hackers had gained access to the Texas-based company’s email system.

Epsilon, which provides email services for some 2,500 companies around the world, has said that customer data for about two percent of its total clients was exposed in what it called an “unauthorised entry.”

Ed Heffernan, chief executive of Alliance Data Systems Corp., Epsilon’s parent company, apologised for the breach on Wednesday and said it was being investigated by federal authorities and outside computer forensics experts.

“We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber thieves with the greatest sense of urgency,” Heffernan said.

Epsilon, which sends out over 40 billion emails a year, did not identify the firms whose customers’ names and email addresses were taken but dozens of US companies have come forward over the past few days.

“It’s basically a who’s who from the retail and banking space,” said Nicholas Percoco, head of Trustwave’s SpiderLabs. “Some of the top brands in the world.”

They include Hilton and Marriott hotels, telecom giant Verizon, drugstore chain Walgreens, the Home Shopping Network and retailers Best Buy, Kroger, New York & Co. and Target.

Banking and financial firms include Citigroup, JPMorgan Chase, Capital One, US Bank, Barclays Bank of Delaware and Ameriprise Financial.

Experts said the data theft at Epsilon could be the largest ever in terms of volume, comparable to the exploits of Albert Gonzalez, a hacker serving 20 years in prison for stealing tens of millions of debit and credit card numbers.

Percoco said the Epsilon data theft may involve as many as 100 million email addresses and “could end up being the largest breach ever of raw personal data, consumer data.”

“All indications are this could be the biggest one in history,” agreed Marian Merritt, Internet Safety Advocate at Symantec, the maker of Norton anti-virus software.

It is unlikely, however, to prove as damaging as the Gonzalez scams.