Epsilon breach: hack of the century?

Get ready to be spammed by phishing scams. When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet. Although Epsilon didn't name clients, it handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again.

phishing.jpg

Epsilon is one of the world's largest providers of marketing-email services. Epsilon issued a statement, "On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."

The scope of major corporations affected is somewhat mind-boggling. Krebs on Security warned, "Among Epsilon's clients are three of the top ten U.S. banks - JP Morgan Chase, Citibank and U.S. Bank - as well as Barclays Bank and Capital One."

After searching through the many articles covering the Epsilon hack, these are the companies that have sent out warnings to their customers:

Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, Ameriprise Financial, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books, Lacoste.

TechEye reported that the largest traditional grocery retailer Kroger, "employs more than 338,000 associates with stores in 31 states under two dozen local banner names including Kroger, City Market, Dillons, Jay C, Food 4 Less, Fred Meyer, Fry's, King Soopers, QFC, Ralphs and Smith's. Potentially anyone who has given their email to any of these places could have had their data half inched."

PCWorld noted, "In some cases, more than just e-mail addresses and names were disclosed -- both Marriott Rewards and Ritz-Carlton Rewards had member rewards points disclosed, along with names and e-mail addresses. This could give scammers more leverage when they attempt a targeted campaign."

That doesn't exactly match up with Epsilon's statement of only names and email addresses, does it? What more I wonder will be disclosed in the next week or so?

According to Paul Ducklin of Sophos Naked Security, it is "moderately comforting" that only names and email addresses were stolen. "Epsilon is, if you like, a 'cloud provider' of electronic direct marketing services, so a security breach of the Epsilon system is, effectively, a breach of all its customers' systems, too."

Personally, I find the Epsilon hack moderately aggravating as there will be countless people duped by phishing attacks. 

Reuters claimed "it could be one of the biggest such data breaches in US history". Indeed, it certainly appears to be one of the largest heists of its kind.

Be on the lookout for spear phishing campaigns and don't nibble on them. Keep your security software updated. If you feel like you really must open an email from one of these companies, then mouse over the link to see if the domain name matches the company. Check for HTTPS. Don't give out sensitive personal information unless you are 100% sure you are dealing directly with the company as these emails can open the way to identity theft.

Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, told Brian Krebs, Epsilon was lazy in its security. "Worse, customers who specifically asked to opt out of marketing emails were also affected. Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”

More companies may come forward to alert customers of their names and email addresses being stolen. This list keeps swelling and this may be the outsourcing hack from hell. It's ridiculous.

Image Credit: Stomchak 

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies