McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.
On Nov. 24, I published an investigative piece that said criminals were conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations. From that story:
“The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.”
Artist haven deviantART also disclosed this week that its e-mail database — including 13 million addresses — had been hacked. deviantART blamed the breach on SilverPop Systems Inc., an e-mail marketing firm with whom it partners.
McDonald’s said its data spill was due to hacked computer systems operated by an e-mail database management firm hired by its longtime business partner Arc Worldwide, a marketing services arm of advertising firm Leo Burnett. Contacted by phone, Arc Worldwide President William Rosen referred all questions to another employee, who declined to return calls seeking comment.
Walgreens didn’t name the source of the breach, but said it was due to “unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data.” Interestingly, Arc Worldwide stated in a July 27, 2009 press release that Walgreens had chosen it as the promotion marketing agency of record.
As I was putting this blog post together, I read a story by The Register reporter Dan Goodin that cited an FBI agent who tied a thread between all of the breaches. Goodin reported that FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems. From that piece:
“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”
In other words, it’s fair to say we can expect plenty more of these disclosures in the days and weeks ahead. The other thing to keep in mind is that while the customer data at issue in these breach disclosures isn’t exactly super-sensitive — e-mail addresses and birthdays, for example — this information can enable skilled attackers to be more convincing in posing as the victim company in a bid to extract even more useful customer data, such as passwords. One need only look to the recent breach at Gawker Media — which exposed passwords and user names of 1.3 million users — to see how often users recycle passwords across a large number of Web sites.
Update, Dec. 16, 5:01 p.m. ET: SilverPop CEO Bill Nussey has published a brief response to the incident on the company’s blog.