The Epsilon Breach: What You Should Know & Who Can Help
Apr 6, 2011 1:59pm
By Caitin Condon, StopBadware
For the past several days, consumers have been bombarded with news about a major data breach affecting Epsilon, the online marketing unit of Alliance Data Systems Corp. Epsilon provides email marketing services for roughly 2,500 customers, including major banks, retailers, and other service providers. No sensitive financial information was compromised; however, the attacker(s) obtained millions of email addresses and names from Epsilon’s database. The incident has set off a wave of warnings about phishing attacks, where malicious actors attempt to steal sensitive information (usernames, passwords, credit card info, etc.) by masquerading as trustworthy online entities, like banks or trusted retailers.
The Epsilon breach gave hackers access to names and email addresses on major companies’ email lists, which gives phishers extra ammunition: their attacks can be highly personalized and targeted at users who would typically open emails from the companies in question. These types of targeted phishing attacks, often referred to as spear phishing, can look extremely realistic. Unfortunately, phishers don’t even have to coax their victims into entering personal information; they can merely create a fake website pretending to be the site of a bank, retail company, or other service provider, and lace the spoofed site with malware. When a user visits the fake site (after clicking on a malicious URL in a phishing email, for example), his or her computer is infected with a Trojan that surreptitiously gathers personal information--like financial account information--without the user ever having to type in anything at all.
So far, almost 50 major companies have admitted to being affected. Security writer Brian Krebs has a growing list that’s being updated regularly. Many of the affected companies have contacted consumers via email to warn them of the data breach and remind them that the company will never request personal information or account login information via email. Consumers are also warned not to click on links or respond to emails claiming to be from affected companies.
There’s an overwhelming stream of information available right now about what malicious actors might do in the wake of Epsilon’s data breach and what users should do to avoid phishing attacks. The underlying theme of all the tips and tutorials is clear, however: use common sense and take extra caution in light of this recent incident. Don’t enter personal information or login credentials in response to an email prompt, no matter how convincing or “urgent” the message.
Caitlin Condon is the Raconteur at nonprofit anti-malware organization StopBadware. She tells StopBadware's story across various online communities and coordinates communication between people at all points on the technological spectrum.