Awareness : Security Awareness Tips

Epsilon Email Breach: What You Need to Know

In one of the largest email security breaches ever, cyber thieves stole a list of email addresses from Epsilon, an online marketing corporation that sends out more than 40 billion emails a year. This was a deliberate, planned attack – not a random data loss.

Epsilon handles the email campaigns of some of the largest corporations in the country, including Best Buy, Walgreens, JPMorgan Chase, Capital One, Citibank, Hilton Hotels, Target, Home Shopping Network, and others. If you do business with any of the more than 50 affected organizations, you may have already received multiple email alerts. While Epsilon claims that no credit card or Social Security numbers were breached, in some cases full names were also obtained.  Epsilon states “a full investigation is currently underway”.

On the surface, it may appear that the breach did not result in significant damage, as all the cyber thieves stole was a list of email addresses, but be aware of phishing attacks (fraudulent emails that appear to be from a well-known company such as a bank, Paypal, IRS, credit card company, etc.).  Although they can be difficult to spot, they generally ask you to click a link to a fraudulent website that may look exactly like the genuine site and provide, update or confirm sensitive personal information. To bait you, they may allude to an urgent or threatening condition concerning your account.  A classic example is “Your account has been suspended”.

Besides trying to trick you into providing your account number, PIN, SSN, home address, mother’s maiden name, or other sensitive information, the spoofed web site may attempt to infect your device with malware, possibly even a keylogger. A keylogger is hidden software that tracks every key you press on your keyboard and sends them to remote attackers. Some keyloggers are sophisticated enough to monitor for specific activity, especially access to online banking sites. When the desired behavior is observed, the keylogger goes into record mode, capturing your username and password.

Another organization involved is GlaxoSmithKline, the global pharmaceutical and consumer healthcare company. Of particular concern is the link between medical information and email addresses. GlaxoSmithKline makes prescription and non-prescription drugs, including HIV and depression medication. Glaxo has sent affected individuals a letter stating that the stolen information “may have identified the product website on which you registered.” This illustrates how easily a seemingly innocuous email address can connect consumers to highly sensitive information.

So coming back to the original question, what does this email breach mean to you?

The theft of millions of email addresses, along with full names, could lead to years of phishing, spamming, and targeted attacks. In particular, you need to watch for attacks in the following form, “Dear Steven: in response to the recent email breach that we notified you about, please confirm your personal account information.” Also be very wary of requests to “confirm orders” or “re-confirm payments”. With the information from the Epsilon attack, these phishing emails may even appear to come from a company you already do business with. Remember that this type of request is almost never legitimate. If you have *any* doubts, contact the company via a phone number on your statement, credit card, etc. – not one provided in the email or the website linked from the email.

Be further aware that an evolved form of phishing, called spear phishing, is now increasingly employed by cyber criminals. In this form, the attacker uses additional information, available from sources such as Facebook, Twitter, Google, LinkedIn, etc. to craft a highly specific email against individuals in management positions.

What can you do to protect yourself?

  • Be extra alert to email scams, especially if you have received a warning from a company that your email and name were involved in this breach.
  • Be aware that reputable companies typically will not ask for credit card information or other personal information in email.
  • If you are suspicious of an email, go directly to the website of the company that purportedly sent it. Do not follow links in the email as they may be fraudulent and malicious. Call the company’s number listed on its website, not the number in the email, as that too may be fake.
  • Use the latest anti-malware software, update it frequently (daily is best) and the latest versions of your favorite browser, which will include the latest security features to protect you from going to malicious web sites such as phishing sites.
  • You could unsubscribe from email communications and re-subscribe using a new email address. This way, you would know that messages received in the new inbox are more likely to be genuine, since the new address was not part of the breach.

The list of affected businesses continues to grow, but currently includes the following:

  • 1-800-Flowers
  • AbeBooks
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Barclays L.L. Bean Visa
  • bebe
  • Benefit Cosmetics
  • Best Buy
  • Borders
  • Brookstone
  • Citi
  • College Board
  • Disney Destinations
  • Eileen Fisher
  • Ethan Allen
  • Fred Meyer (Kroger brands)
  • Hilton Hotels
  • Home Shopping Network
  • JPMorgan Chase
  • Lacoste
  • Marriot-Rewards
  • McKinsey Quarterly
  • New York & Company
  • Red Roof Inn
  • Ritz-Carlton Rewards
  • Target
  • TD Ameritrade
  • TiVo
  • U.S. Bank
  • Walgreens
  • Individuals who receive a phishing attempt related to the Epsilon data breach can report it to the U.S. Secret Service by emailing phishing-report@us.cert.gov. If you have questions or concerns about the data breach, Epsilon asks you to contact Sarah Branam at 303-410-5369 or email sbranam@epsilon.com. You can also contact the affected companies directly with questions and concerns. If consumers lose money due to an email scam, they can file a complaint with the Internet Crime Complaint Center at http://www.ic3.gov or the Federal Trade Commission at http://www.ftc.gov.

    As always, individuals should monitor their credit reports for suspicious activity. Every year, you can request free copies of your credit report from each of the three major credit bureaus. You could regularly check a different one of these reports every four months. Visit the official site at www.annualcreditreport.com.

    Posted: April 18, 2011