Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.
Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result.
Among Epsilon’s clients affected are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach (a list of companies known to have been impacted is at the bottom of this post).
Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.
“I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”
Crooks used very similar spear phishing methods to steal customer contact information from dozens of email marketing firms late last year, as KrebsOnSecurity.com first reported in detail. In the wake of that assault, data spills at other email marketing firms like SilverPop have prompted disclosures from clients such as TripAdvisor and Play.com.
Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE) and a former executive at email service provider ReturnPath, said his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.
“There are best practices that the major of the industry should have implemented a year ago, but never did, and it’s just disgusting and reprehensible that they haven’t done this stuff yet,” Schwartzman said. “I’ve talked to people in other industrial sectors who said if my external auditors found out we were treating customer data this way, we’d be in serious trouble.”
Schwartzman said Internet service providers should start treating even opt-in commercial email as “highly circumspect.”
“To protect users, ISPs should be upgrading anti-phishing facilities, and demanding strict compliance with anti-spam [standards],” Schwartzman said. “At this point, the email senders certainly are in the ring with Mike Tyson in his prime.”
Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said the breaches at Epsilon and other email senders should never have happened.
“The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could prevent this,” Zittrain wrote in an email to KrebsOnSecurity.com. “Worse, customers who specifically asked to opt out of marketing emails were also affected. Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”
Zittrain said he received notices from two of the companies impacted by the Epsilon breach, and that neither company mentioned the source of the problem.
“Reminiscent of credit card companies’ reporting of merchant breaches — they do not say who lost the data,” Zittrain said. “Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”
It’s not clear how many more disclosures are still to come. Epsilon declined to comment beyond its sparse four-sentence statement. The company’s site says Epsilon serves approximately 2,500 clients, and sends about 40 billion marketing messages for clients annually.
The stock price for Epsilon’s parent company, Alliance Data Systems Corp. (NASDAQ: ADS) was down $4.77 per share, or 5.55 percent, in mid-day trading Monday.
Here is a list of companies that have acknowledged losing customer contact data and email addresses as a result of the Epsilon breach. Got a notice from a company that’s not already on this list? Sound off in the comments below.
Update, 3:14 p.m. ET: If at all possible, please paste a copy of the communication in your comment only if you don’t see the name of the affected entity in the list below. Databreaches.net has links to some of the disclosure letters, which I will try to add to the individual brand names below as well. Early reports suggested Borders and Verizon had also issued alerts, but those are unconfirmed and have been removed from the list for now.
Update, 3:22 p.m. ET: Heard back from the PR folks at Borders, who said the company was not impacted by the Epsilon breach.
Update, 5:14 p.m. ET: Corrected the number of clients Epsilon currently has and the volume of email they send annually.
Update, Apr. 5, 11:01 a.m. ET: Visa says it was not impacted by the Epsilon breach.
Update, Apr. 5, 3:42 p.m. ET: Added Bebe, Soccer.com, Eddie Bauer, 1800Flowers, among others. Removed American Express, which says it was not affected. It seems the confusion over Amex and Visa stemmed from cardholders getting notices through various rewards programs.
- 1800-Flowers
- Abe Books
- Air Miles CA
- Ameriprise Financial
- Barclays Bank of Delaware
- Beachbody
- Bebe Stores Inc.
- Benefit Cosmetics
- BestBuy
- Brookstone
- Capital One
- Charter Communications (Charter.com)
- Chase
- Citibank
- City Market
- The College Board
- Crucial.com
- Dell Australia
- Dillons
- Disney Vacations
- Eurosport/Soccer.com
- Eddie Bauer
- Food 4 Less
- Fred Meyer
- Fry’s
- GlaxoSmithKline
- Hilton Honors
- The Home Shopping Network
- Jay C
- JP Morgan Chase
- King Soopers
- Kroger
- LL Bean
- Lacoste
- Marks & Spencer (UK)
- Marriott Rewards
- McKinsey Quarterly
- Moneygram
- M&T Bank
- New York & Co.
- QFC
- Ralphs
- Red Roof Inns Inc.
- Ritz Carlton
- Robert Half
- Scottrade
- Smith Brands
- Target
- TD Ameritrade
- TIAA-CREF
- TiVo
- US Bank
- Verizon
- Viking River Cruises
- Walgreens
- World Financial Network National Bank
Add P90X, TurboJam, and Insanity work-out company to the list:
Dear Beachbody® Customer,
Beachbody’s email service provider, Epsilon, has recently informed us that your email address may have been exposed due to unauthorized access of Epsilon’s system. We’ve been told that this unauthorized access was limited to only name and email addresses of some Beachbody customers, with no other information accessed.
As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.
We recommend that you always be extremely cautious with emails from persons or entities you do not recognize or know, and specifically:
Don’t open links or attachments from third parties you don’t know or recognize;
Don’t provide any personal or other sensitive information by email to third parties you don’t know or recognize; and
Don’t provide a credit or debit card number, bank or other account details, or any other financial information by email to any third parties you don’t know or recognize.
We regret that this incident has occurred and apologize for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.
Please don’t hesitate to contact us with any questions at emailsecurity@beachbody.com.
Sincerely,
Jonathan L. Congdon
President
I have gotten 3 notices from companies in the above list. 2 of them do not bug me as spammers already know the address and I rarely do business with the 2 companies. I am also very careful as to which e-mail I open.
As for the messages from those companies, 1 had the title:
An Important Message from Hilton Honors
The one from Best Buy was titled:
Important Email Security Alert
The one from Hilton went unopened until after Brian wrote this story. The one from Best Buy was opened immediately.
The 3rd is from a bank and it is for an e-mail account that I ONLY use for financial institutions. This account has never gotten any spam. As a result of the e-mail account now being known, I am creating a new e-mail account and will switch my other financial accounts to use this new e-mail account. I will also stop using the credit card from that bank. But I am keeping the old e-mail account open as I am curious to see what type of spam shows up.
What a pain.
Received a notice from JJill. (below)
Dear Barbara Malone,
Recently, Citi was notified of a system breach at Epsilon, a third-party vendor that provides marketing services to a number of companies, including Citi. The information obtained was limited to the customer name and email address of some credit card customers. No account information or other information was compromised and therefore there is no reason to re-issue a new card.
Because e-mail addresses can be used for “phishing” attacks, we want to remind our customers of the following:
Citi Cards uses an Email Security Zone in all of our email to help you recognize that the email was sent by us. Customers should check the Email Security Zone to verify that the email you received is from Citi and reduce the risk of personal information being “phished.” To help you recognize that the email was sent by Citi we will always include the following in the Email Security Zone in the top headline portion of all our emails:
Your first name and last name
Last four digits of your Citi card account number
And recently to increase security, we have added your “member since” date located on the front of your card, where available.
More information about phishing is available here: learn more
Important steps that you can take to protect your security online:
Don’t provide your Online User ID or password in an e-mail.
Don’t reply to e-mails that require you to enter personal information directly into an e-mail or URL.
Don’t reply to or follow links in e-mails threatening to close your account if you do not take the immediate action of providing any personal information. We may send you an email regarding your account requesting you contact us via phone.
It is not recommended to use your e-mail address as a login ID or password.
If you suspect that you’ve received a fraudulent e-mail message, please forward it to us.
Forward suspicious e-mails to: spoof@citicorp.com
If you have any questions or concerns about emails that you may receive that look suspicious, we encourage you to contact Citi Customer Service at the phone number on the back of your card.
The AIR MILES® Reward Program was informed by our email service provider that they had an unauthorized entry into their email platform, which is the system used to send AIR MILES emails. We have been assured that the only information that may have been exposed was first name, last name and email address of some of our Collectors. Details of your account are not stored in this system and were not at risk.
Please note it is possible you may receive spam email messages as a result. We want you to be cautious when opening links or attachments from unknown third parties. We want to remind you that AIR MILES will never ask for your personal information or login credentials in an email. As always, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email.
As a reminder, we recommend that you:
• Don’t give your AIR MILES Collector number or PIN in email.
• Don’t respond to emails that require you to enter personal information directly into the email.
• Don’t respond to emails threatening to close your account if you do not take the immediate
action of providing personal information.
• Don’t reply to emails asking you to send personal information.
We regret that this has taken place and apologize if this causes you any inconvenience. We take your privacy very seriously and we will continue to work diligently to protect your personal information.
If you have any questions please contact us at question@airmiles.ca or 1-888-AIR MILES.
Received notice from Scottrade:
As a valued Scottrade customer or someone who previously provided us with your email address, we want to make you aware of a situation that affects your email security. We have been notified by Epsilon, a company we use to send emails, that an unauthorized person outside of their company accessed records that contained your name and email address.
This incident occurred at Epsilon. We want to assure you that Scottrade’s systems were not affected and your account information remains secure.
The security of your information is important to us and we apologize for any inconvenience this may have caused. You may receive an increase in spam email as a result of this incident. We encourage you to be cautious when opening emails, links or attachments from unknown sources. Scottrade will never ask you for personal or account information in an email.
Please visit Scottrade’s Security Center http://www.scottrade.com/security/ for more information on online security.
Sincerely,
Scottrade Customer Support
From Scottstrade
As a valued Scottrade customer or someone who previously provided us with your email address, we want to make you aware of a situation that affects your email security. We have been notified by Epsilon, a company we use to send emails, that an unauthorized person outside of their company accessed records that contained your name and email address.
This incident occurred at Epsilon. We want to assure you that Scottrade’s systems were not affected and your account information remains secure.
The security of your information is important to us and we apologize for any inconvenience this may have caused. You may receive an increase in spam email as a result of this incident. We encourage you to be cautious when opening emails, links or attachments from unknown sources. Scottrade will never ask you for personal or account information in an email.
Please visit Scottrade’s Security Center http://www.scottrade.com/security/ for more information on online security.
Sincerely,
Scottrade Customer Support
In Canada, add Best Buy Reward Zone to the list.
We have been informed by our email service provider, Epsilon, that your name and email address have been exposed by unauthorized entry into their system. Epsilon deploys emails on our behalf to our Reward Zone members. Click here to read Epsilon’s statement.
We have been assured by Epsilon that the only information that has been exposed was your name and email address. A rigorous assessment by Epsilon has determined that account details, passwords or any other personal information were not at risk.
It is possible that you may receive spam email messages as a result and we would advise you to be very cautious when opening links or attachments from unknown senders. More information on spam and protecting yourself from email fraud can be found here.
In keeping with security industry best practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, http://www.bestbuy.ca. If you receive an email asking for personal information, delete it. It did not come from Best Buy. The next scheduled email from Reward Zone about our Trade In Event will arrive to your inbox on April 15, 2011.
Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we are working diligently to fully investigate this situation and continue to protect your personal information. If you have further concerns or questions please contact us: 1-866-BEST-BUY (238-7289) or customercare@bestbuycanada.ca.
Sincerely,
Angela Scardillo
Vice President of Marketing
Best Buy Canada
Its amazing the interest this story has generated. While its a significant breach, I would hardly call it the “hack of the century”. Sure customers need to be alerted, and aware for future fraud attempts, and Epsilon held accountable.
It is interesting that your average computer user is more up in arms over this breach than say Heartland or Stux net.
I agree. You’ll notice that once it hits the mainstream media, it takes on an alarmist tone and people start posting paranoid comments like they stole more than just e-mail addresses, instead they also got your login credentials and will empty your accounts. And Big business is evil and we need government action now! Class action law suits!
Uh, calm down people, get a grip on reality. Slow down, let’s not be hasty. Bottomline, regardless of this breach, you should’nt EVER respond to unsolicited e-mail from anyone, no matter how authentic it may seem. I don’t need a letter or statement from any of these companies to know that! I swear that many have absolutely no critical thinking skills!
In the UK, add Marks and Spencer to the list. It’s actually quite funny how all the companies affected keep saying “your privacy is important to us”, while NOT adding “not important enough that we actually made sure the clowns we give the information to because they were the lowest bidder are capable of looking after it, obviously”
We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.
We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk.
We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result. We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Marks and Spencer plc. Registered office: Waterside House, 35 North Wharf Road, London W2 1NW.
Registered number: 214436 (England and Wales)
As someone who takes my personal privacy very, very seriously, I’m deeply upset by the nature and scope of this breach. Trusted companies with whom I’ve shared more details than even some BANKS have on me are thrusting my data to third-party providers who could care less. As stated in the story, why its not industry-standard procedure to be encrypting the email data of MILLIONS of customers is beyond me. My small firm maintained a database of some 2,500 clients and some intimate details (though NOT credit cards and bank ACH information) and it was encrypted from day one. Not once did we want to take a chance that a competitor may find a way into the DB, let alone a hacker or rogue actor. I’m secretly hoping this leads to a lawsuit of the same (dare I say epic) proportions. Someone has to take a hit in order for everyone else to fall into line.
Almost every single company that I work with has sent me a letter advising of the Epsilon Breach…unreal….B of A, 1800flowers, you name it..they are ALL clients of Epsilon…are they the only large IT company of it’s kind or what???? Wow..
Beachbody.com has also said they are included in the breach.
This is a serious matter. We expect that a large company like Epsilon would make sure that their clients consumers info would be more secure. Like i said before this thing could wind up being nothing, but when you put millions of people at risk there will be people freaking out.
Hearing lots about the companies and customers impacted. Any news on the details of the hack?
Saw this comment from the earlier discussion on 4/2 regarding this. It seems the most likely scenario:
Christopher Sim
April 2, 2011 at 12:39 pm
My imagined scenario: Epsilon employee gets spear-phished, and his account creds are compromised.
Attacker then uses these creds to login to the public internet site, which Epsilon hasn’t restricted from use by admins.
This admin has access to multiple company accounts. Attacker proceeds to download the email lists from all these vendors.
This seems the most likely attack scenario. It begs the question: does Epsilon care about their customer data, if the admins can login from the internet? Their customers have to trust SOMEBODY within Epsilon. They seem to have not respected that trust.
I am more concerned with those Epsilon customers I am not getting a notification sent from. I independently checked at the websites of a few. There were the notices. One I had to dig to find the notice. Why?
Now, I am not intensely concerned over email and name, but still not good. All I ask is if my name and addy is lost let me know. Also, for those not as paranoid as I, point out that emails mentioning your name are not as safe as you may think. And, push the notice, it is cheap, as spammers can attest. Don’t make your customers come to you to find out.
Thanks for listening er reading.
Some of the notices may be landing in your spam folder, or filtered out before they even get to your account. That can happen to mass-mailed email messages, no matter how legitimate they are.
You still have Verizon in the list but you said it had been removed. 😉
I said I was taking Verizon off the list because it was unconfirmed. It has since been confirmed by numerous readers who sent in the communication about it.
Epsilon still states on their website:
“How Is Information About Me Kept Secure?
“We protect information we collect about you by
maintaining physical, electronic and procedural
safeguards. All information is secure and may be
accessed only by key staff members of Epsilon. We
take reasonable precautions to protect your
information both online and offline. Periodically, our
employees are notified about the importance we
place on privacy and security, and what they can do
to ensure our clients’ information is protected. The
servers on which we store data are kept in a secure
environment.”
“Reasonable precautions?” “Periodically our employees are notified about the importance we place on privacy and security?”
Why do I have the feeling that Epsilon is the kind of company that thinks reminder memos and motivational wall posters constitute a quality management program?
Maybe they should have reported they have develop a comprehensive internal privacy/security program and routinely provide training for all their employees… and/or employees are tested on their privacy/security knowledgebase to ensure everyone is engaged in preventing preventable data loss.
I for one would have been more convinced of the company’s dedication to security and impressed… which isn’t the case. 😉
An Important Message from Dell Australia
Dell’s global email service provider, Epsilon, recently informed us that their email system was exposed to unauthorised entry. As a result, your email address, and your first name and last name may have been accessed by an unauthorised party. Epsilon took immediate action to close the vulnerability and notify US law enforcement officials.
Whilst no credit card, banking or other personally identifiable information was involved, we felt it was important to let you know that your email address may have been accessed. While we hope that you will not be affected, we recommend that you be alert to suspicious emails requesting your personal information.
To help protect your personal information online we recommend that you do not provide any sensitive information through email, or open emails from senders you do not know. Dell will never ask for your financial information through email.
Dell takes its commitment to protecting customer data very seriously and has notified the Australian Privacy Commissioner and ACMA (Australian Communications and Media Authority). Dell continues to work closely with regulatory bodies and manage customer concerns.
We sincerely regret that this incident has taken place and we will continue to work with Epsilon to ensure that all appropriate measures are taken to protect your personal information.
Please contact us at anz_cust_serv@dell.com should you have any questions.
Sincerely
Deborah Harrigan
Dell Consumer and Small Business Executive Director
Dell Australia Pty Limited
The BBC are reporting that M&S customers are being notified of the breach. http://www.bbc.co.uk/news/technology-12983177
This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Fashion Bug Credit Card account.
Dear Valued Customer,
Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.
Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
I just got mine from TIAA-CREF. Sent by Epsilon according to the message headers.
Received: from [192.168.3.34] ([192.168.3.34:42131] helo=unjdrmmailerpv09)
by pimta04.epsiloninteractive.com (envelope-from )
(ecelerity 2.2.2.45 r(34222M)) with ESMTP
id 27/1C-32346-7B80C9D4; Wed, 06 Apr 2011 02:31:19 -0400
It has a copyright notice so I will not post it’s entirety. It does not address me by name, good considering the breach means that no longer contributes to legitimacy.
It states do not reply to this e-mail in caps. But rather contact them directly. OK, good, sort of. Just follow the provided link under “contact us”. Oh, and there are about half a dozen links. Should make a nice template for phishing, except it’s copyrighted, so not to worry.;)
I came to add Marks & Spencer (UK), but see somebody beat me to it.
I’d quibble over the removal of American Express; Hilton Hotels outsources all the processing associated with Hilton Honors loyalty program to Epsilon; consequently, if you have an American Express HiltonHonors co-branded Credit Card, then you are presumably in scope of the Epsilon breach.
I do not understand the AMEX situation, John…are you saying that anyone who gets AMEX membership rewards points (like Blue cards) would be impacted by the breach?
Alsmost all AMEX cards gets rewards.
This situation is becoming very interesting.
We are all ready to burn Epsilon at the stake as well as the companies sending and not sending out email notification of the compromise.
Here’s what we all need to ask ourselves…
How many of us actually and thoroughly READ the online privacy statements each of these companies publish on their websites? I would venture to guess, (based on my personal data from teaching classes and workshops on identity theft awareness and prevention) fewer than 3% do.
Are you aware that most of these statements say by clicking “agree” or “accept” you are giving your permission for them to share your information with 3rd parties and partners of their chosing and for reasons they stipulate?
How many of us ask those companies who these partners are and if they have taken steps to VALIDATE the 3rd parties and partners are securing your personal information?
Be honest… FEW DO because we’re more concerned about being rejected by a company that may not fill our orders or provide a service we want or need.
With this being said, why are we surprised breaches happen? Why do we willingly provide information without thought of how it is being kept secure or the cause and effect of a breach should one happen? Why after the fact? Why do we assume proper security it in place? Why do we assume every company we share our info with secures it from A-Z… including people and companies with whom THEY share the info?
Why do we not take steps to protect our email if we’re all so concerned about how breaches and data compromises effect us? How often do we willingly provide our email upon request without question?
Do you have any idea when you provide your email or post it publicly, how it is being used and by whom or how it is being stored or shared?
Every person and company in the chain puts all info at risk of theft and phishing attacks… including our email family members and friends computers if they are hacked. I see this attacks happening everyday with people I know who have Facebook accounts hacked or leave their laptop someplace and it becomes missing or stolen.
Should be be upset with Epsilon? Of course. But realize email theft and keylogging attacks are happening everyday, all day and those companies whose names are linked to them get real nervous about damage to their brand and then of course if your security is linked to their brand, then they are also concerned, in varying degrees about your security. 😉
We each have the responsibility to learn how to protect our information and not trust it to just anyone or any company.
I’ve been speaking and educating on the topic of identity theft awareness and prevention for years and can say from experience few care until it happens to them… including companies. 😉
Hi Brenda, interesting point on reading privacy statements. However, I got one of these warnings from Marriott so went to look at their privacy statement. They helpfully include a long list of companies they can pass my personal info to. They don’t include Epsilon. Maybe the people responsible inside some organisations need to look at their privacy policies occasionally too!
Excellent points. These are many questions that people should be asking. What’s that saying, when you point a finger, there are many pointing back at you! I can imagine how frustrating it must be in your classes at times. You try to educate people on these issues and it falls on deaf ears. Very frustrating! IMO, I believe there is a general mental laziness that permeates our society. Many really are spoiled by all this technology and ease of use and never think beyond it. I see it every day whether at work, in public, or with friends and family. I’ve said it many times here, but I really believe it based on personal experience; many lack critical thinking skills. 🙁
Not to dominate the discussion but I have to smile when I think of all the companies that turned down the opportunity to purchase the patent-pending “keystroke encryption” software my firm markets because they were under the delusion their anti-virus would prevent hacking.
“If you aren’t actively engaged in being part of the solution, you are part of the problem.” 😉
Remember, keystroke hijacking malware can steal login credentials more easily than phishing attacks… and most often is undetectable by anti-virus or pretty much anything else except keystroke encryption solutions. My guess is Epsilon was a victim of keylogging. But that’s just a guess given they haven’t gone public with how the breach occured. 😉
Add Crucial to the list. Here’s the text of their alert:
Subject: Important update from Crucial.com regarding the recent email security breach
On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.
We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
And yes, it was sent by Epsilon service.
Received: from arm-ei178.bigfootinteractive.com [216.33.63.178] (HELO bigfootinteractive.com) by vw1.***.com (8.12.10/8.11.5) via ESMTP id for ; Wed, 6 Apr 2011 14:48:54 -0400
Received: from [192.168.3.31] ([192.168.3.31:63252] helo=unjdrmmailerpv06) by unjdrmmtap04.epsiloninteractive.com (envelope-from ) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id FB/31-04075-1C5BC9D4; Wed, 06 Apr 2011 14:49:37 -0400
Thanks for your post, and for helping to keep your readers informed about this breach. In order to defend against this type of attack, businesses can no longer rely on point solutions such as firewalls, IDS/IPS devices, or simple IP reputations. Solutions that can provide deep content inspection to detect embedded attacks across email and Web sessions should also be implemented. This breach also illustrates the importance of ensuring network layer Data Leakage Prevention (DLP) for service providers, in order to prevent the outflow of email addresses. Our company, Wedge Networks has focused on building such solutions for years, and is leading efforts to prevent the good things from flowing out, and bad things from flowing in.
Brian. Epsilon says that this only affected “2% of their customers”. Note how they didn’t say how much of their *data* was compromised. I’m finding it hard to believe that the aggregate of these large companies only represents anything like 2% of their *data* exposure.
It really appears that they were totally owned and that whoever sucked the data out went for the big fish first.
If Epsilon got compromised then there is no hope for me using aweber! I know aweber got hacked lot more! but really why cant they secure a list that could be worth millions ?
See my response here: http://flashdriveterrorism.com/?p=343
Excerpt: Bruce Schneier has come out saying he has “no idea why the Epsilon hack is getting so much press.” He says that these events happen all the time, which is almost an understatement. Schneier points out that even though the hack could have been much worse, and big name companies were affected, it is not, as some are calling it, “the hack of the century.” I’m no Bruce Schneier, but I’d like to offer an explanation and its consequences.
Sure, the Epsilon hack was messy. Krebs on Security reported on this. They quoted Jonathan Zittrain, co-founder of the Berkman Center for Internet & Society, who noted that Epsilon security was “lazy” and that customers who opted out of receiving e-mails were still retained in the database, meaning that their e-mails were also compromised. However, I agree with Schneier — regardless of all the big name companies and the lazy security (the fact that it could have been much worse), it doesn’t seem like this should have made such a big impression.
I believe that the reason this has gotten so much press is simply because Epsilon and its customers (Marriott, Walgreens, etc.) have let the information get press. Unlike many corporations who have experienced similar leaks in recent memory, most (all?) of the companies that had information with Epsilon have contacted those on their mailing lists. In 2005, only 20% of respondents in a survey of corporations targeted by cyber attacks said that they had reported incidents to law enforcement. (Janczewski and Colarik, Chapter 3 page 3) Why did so many incidents go unreported? Corporations are afraid of exactly what happened in this case – bad press. Epsilon’s parent company, Alliance Data Systems Corp. (ADS) has seen stock prices fall, and there are doubtlessly other consequences for the affected corporations.
There is hope in this event, though. The more clarity and openness that exists in regard to these incidents, the greater the chance that solutions can be found and security will be taken more seriously. If Epsilon had perhaps heard of another similar organization that had this issue, maybe they wouldn’t have been so lazy. Additionally, and perhaps more critically, the users of these systems – individuals on the ground level, may take more steps to secure themselves in the future.