Epsilon Data Breach Could Enable More RSA-Style Phishing Attacks
If you haven’t already, you are about to get an email or letter informing you that your email address may have been obtained by unauthorized parties. Email marketing firm Epsilon suffered a data breach late last week that potentially exposed its corporate clients’ customer information, specifically email addresses and/or customer names. While not itself a household name, Epsilon did business with household names like TiVo, Target, Chase and about 2,500 more companies.
Though Epsilon denies that personally identifiable information was involved, which would mean that state data breach notification laws are not triggered, the firm and its partners have nevertheless embarked on the project of notifying their customers of the potential breach in a uniform email. Given the apparent scope of the breach, security experts, myself included, seem to generally agree that Epsilon’s decision to notify is the right one, as the heads-up may help prevent any further fallout. While names and email addresses in isolation are not considered particularly sensitive, Brian Krebs reports that an attacker who knows all the companies with which you have accounts could craft an effective spear phishing attack. Knowing the name of your bank and the hotel chain you frequent may give customers false confidence when asked to click on attachments containing malware.
Individuals should employ a little self-help. Do not give out passwords or other sensitive account information over unencrypted email and do not open unexpected attachments from unknown people. Meanwhile, Epsilon and its business partners’ decision to give consumers some advance warning may ultimately reduce consumer harm, but they nonetheless must prepare for public, and potentially regulatory, scrutiny of their security practices. It will be interesting to see if Epsilon’s decision to provide notification to its customers of the email address breach in this high-profile matter leads other companies to do the same in similar situations in the future.
You can find more information on the breach and comments by Marc Zwillinger in the Bloomberg Businessweek Article, Citigroup, Walgreen, New York & Co. Warn of E-Mail Breaches, by Michael Riley and Dan Hart.