Tuesday, April 05, 2011

Epsilon Data Breach What You Should Know

By now you are probably aware that there was a major data breach at the Epsilon marketing firm. What you may not know is exactly how this may affect you in the coming months. So we've thrown together a quick FAQs to help our readers more clearly understand whats at risk.

Who is Epsilon Marketing and why do they have my data?

Epsilon marketing is the world's largest permission-based e-mail marketer. Basically they are a large company that manages email marketing for other companies, such as Best Buy, Walgreens, Citibank, American Express ect. Epsilon is used to send promotions or other e-mails to the main company's customers.

If they have your information its because you visited and opted into marketing from one of the more than 2500 customers Epsilon has or it is because you have an account with one of their customers. Chase, Citibank ect automatically opt you into marketing when you open an account. To be removed you need to contact them via snail mail.

Who is affected?

Epsilon won't specify which of its 2,500 clients were affected, or how many customers' e-mails were stolen, but SecurityWeek has put together the following list: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, and Robert Half Technologies.

The names and contact information of some students affiliated with the U.S.-based College Board -- which represents some 5,900 colleges, universities and schools -- were also potentially compromised.

What information was exposed? Are my accounts safe? Should I change all my passwords and cancel my credit cards?

For starters, according to Epsilon, no other personal information was exposed besides e-mails and names. That is it, since Epsilon is only an email marketer they shouldn't have had any of your account information. They may have had your name, email and mailing address but that should be all.

Law enforcement and individual companies are doing their own investigations to make 100% certain so until then I'd monitor your credit information and keep a close eye on your accounts but you shouldn't need to make any drastic moves. Its smart to change your passwords every couple of months just in case so you might want to go ahead and start spring off with a new one anyways but for now I see no reason to be overly concerned.

What can I expect? What happens next?

So here is the big question what happens now? No one can say for sure what the hackers will do with the data, if anything at all. Most security experts, as well as myself, fully expect a hard nosed phishing attack. The hackers will likely either spearhead their own highly targeted attack or sell off the names and email addresses collected to another group. Either way it seems inevitable that those email addresses will be misused by scammers.

Since the scammers have access to both a users email address and their names security experts warn that users might be vulnerable to spear-phishing attacks. Phishing is a random legitimate looking email sent to random email addresses. In the case of spear-phishing that legitimate looking email will take on a more direct approach being targeted to confirmed users of a service and maybe even containing the users real name.

Short of completely changing your email address there is no defense against such a scenario. Users have to use common sense and be very vigilant in their clicking of links.

Here are a few ways to avoid a phishing attempt:

  • No matter how legitimate the email looks never use the link in the email use direct links that you know are good or use your bookmarks.
  • Always check your URLs and only log into secure sites with https://
  • Banks and other financial institutions never ask you to send them account information or logins if they are then its not legit
  • Watch out for "confirm your account" or "there has been a security breach" emails. These are one of the most common emails I see and they are more likely now that there has been a security breach. The emails sent out from this incident DO NOT contain links and DO NOT ask that you check or confirm your account. NetworkWorld has a list of some of the legit email sent out.
  • If you think the email looks to go to be true or even question for a second the legitimacy then don't trust it and go directly to the source, be it BestBuy, Citibank whatever.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you