What the Epsilon Data Breach Means To You

Monday, April 11, 2011

Alexander Rothacker


If you haven’t had an email address exposed with the recent and massive, Epsilon database breach, you probably know someone close to you that has.

Personally, I’ve gotten nearly 10 emails from various companies alerting me that my email address was exposed.

While this breach is massive in size, it is not the first breach of its kind. Last December, email marketing company Silverpop was on the hook for compromising millions of records due to a database breach.

Silverpop, along with its big-name customers that included Honda, deviantART, McDonald’s and Walgreens, were heavily reported on in the news. Yet, less than four months later we see yet another massive breach in the news.

There has even been speculation that this breach, although it didn’t compromise Social Security numbers or credit card numbers, could have been one of the largest breaches of all time.

Which brings me to my next point, although this breach “only” compromised email addresses of millions of customers – it’s still very alarming and consumers need to proceed with caution.

The combination of names, email addresses, merchants and financial institutions is a treasure trove for phishing attacks. It’s a much bigger problem than someone just knowing your email addresses. A list of email addresses used by big name retailers and banks is basically a very targeted list of usernames.

What You Can Do

Now is a great time to make sure you have good, strong and unique passwords on all the websites that store your personal or financial information. In general, it might be a good practice to use specific email accounts that you only use to register for a certain group of websites.

Depending on how secure you want to be – you could create several email addresses – one specific one for online banking, one for online shopping, and so on.

At this point, I would be vigilant about any merchant email and never click on any links contained in those emails. If you think a retailer or bank emailed you about your online account, go directly to their website and log in. Avoid clicking any links in emails.

Remember, phishing emails often look identical to legitimate emails. Imagine a phishing email along the lines of:

"Hello Alex,We would like to confirm your recent BestBuy purchase with your Citi card. Please click here (link to phishing site) and log on using your citicard account login."

Once the attackers have the customers’ real name, they can even conduct some social engineering and Google around to figure out their mother’s maiden name, place of birth, and so on, and then reset the password using that information.  

What Does This Breach Mean To Consumers?

Customers of these popular banks and retailers will most likely experience a higher volume of phishing attacks. At first glance, these emails may look completely legitimate, but there may be typos or requests that you usually don’t get from the companies.

For example, you may get an email asking you to reset your password by clicking a link in the email, or to update your information to save on file. Do not click any links in your email.

Once clicked, attackers may be able to exploit malware and compromise your computer – and potentially gather usernames, passwords and other information you type on your computer.

If you receive an email you are unsure about, go directly to the company’s website and try to log into your account that way instead of clicking suspicious links.

Proactive Protection

Customers should demand from their merchants that they do all they can do to protect their personal information. While the cat is out of the bag with Epsilon, pressure should be put on other merchants to better protect information in the future.

For instance, customers can contact these merchants by writing letters or calling, requesting the necessary security measures be taken with their information.

In addition, using separate email accounts can help mitigate the aftermath of attacks like this. Short of not using online offerings, this may be the most practical solution available to consumers to safeguard themselves from future phishing attacks.

What Can Other Companies Do To Prevent Third Party Breaches Of Customer Information?

Organizations rely on third party providers for numerous responsibilities and often treat them as an extension of their organization. While in this case, it was an email marketing relationship, organizations allowing third parties access to ANY information should REQUIRE that they provide the most stringent security measures in place that prevent from both internal and external threats.

While hackers are always looking to penetrate an organization’s security measures to get access to the sensitive data, an organization makes it money with that data and it’s in their best interest to safeguard it.

This lesson to the frequently targeted email marketing companies should have been learned back in December when the Silverpop breach occurred. If your organization provides its information to a third party, you must ensure they have adequate security measures in place.

Before signing the contract, ask about security and REQUIRE it. It’s not just the third party that gets raked over the coals in the media; it’s also the companies outsourcing their data.

The investments most companies have made in firewalls and other network perimeter defenses have not been effective at eliminating the risk of external attacks. It’s time to think like the criminals do, and build our next generation of protection around what the bad guys want to access most – databases.

A rigorous approach to database security, including vulnerability assessment, user rights review, and database activity monitoring would likely have detected and limited the damage from an attack like the one we speculate occurred at Epsilon.

Cross-posted from TeamSHATTER.com

Possibly Related Articles:
Information Security
Email Phishing malware Information Security Consumers Epsilon
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.