Half a loaf

Premise: (nearly) every time I provide an email address for an organization to reach me, it is customized for them: if I deal with Ford, they will send me mail at ford@[this domain]. This lets me see who has sold my address on to someone else.
Aside: apparently almost nobody sells email addresses anymore, as virtually all the spam that folks attempt to send me is directed to addresses I foolishly allowed to be published in my naïve youth. As a result, if you want me to get mail and you use my favorite address to reach me, you’d better be on my whitelist.
Story:
Last week (I think it was), I received spam that wanted me to go to what I believe is a malware-infect{ed,ing} site. That spam was sent to an address I had provided to what I believe is a conscientious organization, so I was disappointed that their security had (apparently) been breached.
Today, I received email from that organization stating that one of their email service providers (Epsilon) had had “an unauthorized entry into [their] computer system,” and apologizing for the inconvenience. The break-in has been reported elsewhere. The thing that was missing from the apology was any indication how I might change my email address with them, as I would (barely) rather change my address than just turn off the compromised address. Even an “if you wish to remove your address from our mailing list …” would have been nice (practically de rigueur, for that matter, considering virtually every piece of mail to a list is expected to have information regarding opting out). Also of note: the apology email was sent via Epsilon. I hope the organization got a good rate for it.