This morning an odd message landed in my inbox. It appeared to be from the New York Times, and it was sent with High Importance. Here’s how it started out:
Dear Home Delivery Subscriber,
Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps.
The only problem? I am not and have never been a New York Times home delivery subscriber. I have an online account only.
Judging by my Twitter feed, I am not the only person who received this message. For several hours, the New York Times’ official Twitter account denied responsibility for it:
Based on my inspection of the e-mail headers, they’re wrong. The message does indeed appears to have been sent by an authorized agent of the paper. And in fact, as I was getting ready to publish this post, a New York Times spokesperson acknowledged the error. Via Twitter, Amy Chozick, corporate media reporter for the Times, quoted the spokesperson as saying that the message, which should have gone to 300 people, went to 8 million instead.
A little background is in order…
I get e-mail messages from the New York Times regularly. The ones containing editorial content are sent from nytdirect@nytimes.com. That’s the source of the regular Travel Dispatch mailings I get once a week. It’s also the source of David Pogue’s Personal Tech column.
This message came from a different address: nytimes@email.newyorktimes.com. When I searched through my e-mail archives earlier today, I found eight examples of mailings from this address. An inspection of the headers shows that all of these messages are from the same IP address, 208.70.142.122, and can be traced back to a mail server at bfi0.com.
That IP address and server name are part of a very large direct mail company called Epsilon Interactive. (The company used to be called Bigfoot Interactive, which explains the server name bfi0.)
Epsilon is a division of Alliance Data, which boasts that "Epsilon sends over 40 billion permission-based emails annually on behalf of clients." That client list includes Hilton Hotels, Verizon, New York & Company, Kraft, KeyBank, and AstraZeneca, according to the company’s web page.
Nothing in this mailing appears to qualify it as spam. It appears to be a legitimate direct-mail piece that was mistakenly sent to a much larger group of New York Times customers than it was supposed to have been.
By the way, if the name Epsilon sounds familiar, perhaps it’s because the company suffered an enormous data breach back in April. In my research for this post I found an April message from Target:
Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party.
Several tech news outfits, including GigaOm and TechCrunch, speculated that this was another Epsilon data breach. Based on what I’ve seen, this is a garden-variety "oops" moment, noteworthy only for its size. It sounds like the New York Times and Epsilon need to acknowledge it, apologize, and move on.
Ed Bott (@ wordpress.com) 
Well… at least they didn’t include everyone in the CC field!
I received the following about 3.25 hours after I received the original, erroneous email:
Dear New York Times Reader,
You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription.”
This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.
Sincerely,
The New York Times
Hey Ed, you may want to change this blog posting. Per the NY Times, this was not an Epsilon mistake but rather a NY Times Employee. See Apology: http://nyti.ms/x4ShpC
It was sent through Epsilon’s servers, so IMO they deserve at least some of the blame. They built a system fragile enough to allow this sort of error to happen. Thanks for the clarification on the details.