FAQ: Epsilon email breach
Names and emails were exposed, but it could have been worse
Computerworld - An email server breach at Epsilon Interactive exposed the names and email addresses of millions of people. The breach is being described as the worst of its kind.
Here's what you need to know:
What happened? Epsilon Interactive last Friday announced that unknown intruders had broken into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers. Epsilon has not disclosed how many accounts in total were exposed in the breach. Some say it is the largest breach ever involving that kind of data, meaning that tens of millions of email addresses were likely compromised.
I've never heard of Epsilon. Why do they have my name and email address? Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of it before, chances are high that your bank or your favorite retailer or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses.
How did the breach happen? Epsilon has not divulged any details of the breach beyond saying that it was discovered on March 30.
If it's only names and email addresses that were exposed, why is everybody acting so concerned? The Epsilon breach, big as it is, could have been much worse. Right now, the biggest concern is that the stolen email addresses will be used by the intruders to launch sophisticated and highly targeted phishing attacks.
The stolen information will allow scammers to send authentic-looking email messages that appear to come from a bank or other business with whom the user has an existing relationship. The emails will try to trick people into parting with information such as their usernames and passwords for bank accounts or other online accounts, or they could try to trick people into downloading malware on to their systems. People who don't fall for such scams should be fine.
Will the stolen information allow the attackers to break into my bank account? No. Only email addresses and names were compromised, not login credentials.
I just received an email from my bank informing me about the breach. What steps do I need to take to protect myself? The first thing to do is relax. The stolen information by itself will not allow the intruders to break into any of your online accounts or to commit identity theft. The main thing to remember is not to respond to or follow links in any message that purports to come from your bank or another business asking you to update or validate your account information or to provide other personal details. Such links will take you to bogus websites set up to collect personal data or download malware to your system.
Don't respond to emails that threaten to close or suspend your account unless you provide certain personal information immediately. Never send your username and password in response to any email that asks for it, however authentic-looking the email might appear. Legitimate companies do not typically ask for such information in an email.
Should I change my email address? That probably would be the safest thing to do, but it can be a huge hassle. For the moment, the best option is to be extra vigilant in watching for phishing attempts.
What other information, besides names and email addresses, was compromised? So far, Epsilon has said that only names and email addresses were compromised in the breach. The company collects and sells a lot of other customer data, but it's not saying if any of that data was exposed.
Is there a complete list of all the companies affected by the breach? No. Epsilon has not released that yet. But blogger Brian Krebs has complied a (growing) list of the companies that have notified their customers about the breach so far. Close to 50 companies are on that list, including Best Buy, Citibank, Disney, JPMorgan Chase, The Home Shopping Network, Hilton, Marriott and the College Board.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Government Agency Webifies Outdated COBOL Applications Let this CTO tell you how his agency converted 1980s-era green screens into an e-filing portal for the 100,000 cases handled each year...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the... All Applications White Papers | Webcasts