Hackers intensify attacks on service providers in recent months, seeking to steal customer email addresses and more.
"Important message from Target," read the subject line of the email sent to Target customers Monday. "Target's email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party," the message stated.
Notes like these were delivered to an undisclosed number customers of an estimated 50 companies, including Target, Chase, Marriott, Walgreens, and Capitol One over the past four days after their email service provider, Epsilon, disclosed that an intruder had accessed its email records.
Epsilon said only email addresses were exposed and not information such as credit card numbers, Social Security numbers, or customer names. Epsilon also said the breach affected 2 percent of its clients.
However, the affected businesses warned their customers to avoid phishing attacks designed to trick them into providing personal information, passwords, and other sensitive information to hackers who may now have access to their email addresses.
Craig Spiezle, executive director at the Online Trust Alliance, said he could not comment specifically about the Epsilon breach. However, he said it represents one of several incidents that could erode public trust in service providers. (The alliance is an industry group that works on behalf of its members to improve trust in e-commerce and other digital services; Epsilon is listed as a member.)
The Epsilon incident, he said, "underscores the importance that we must increase investment in security measures. They are not the first ESP and they probably won't be the last (to be hacked)," he said.
Advances in email filtering offer some safeguards against fraudsters. "Just having a [customer email] list alone does not mean you can contact a person," Spiezle said. "The ISPs have mechanisms to detect spam. They can look at an IP address to determine if mail is authentic."
What's especially troublesome, he said, is the velocity and sophistication of attacks against service providers - and not just email service providers.
Consider these recent incidents:
- Silverpop, a digital marketing services company, disclosed in December that it was one of several technology providers that were targeted as part of a cyber attack. CEO Bill Nussey, in a blog post, said a quick decision to reset customer passwords halted the attack. "Third-party experts have confirmed that the attack was particularly sophisticated and we are working with customers and industry peers to share what we have learned," Nussey wrote.
- RSA Security, which develops software and hardware to protect computer networks, said last month that a cyber attacker had stolen information that could potentially reduce the effectiveness of its SecurID two-factor authentication products.
- A hacker tricked Comodo, the developer of anti-virus software, into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other websites, according to a CNET report.
Spiezle's advice for businesses? "If you are collecting data, you have to assume you will lose it," he said. Businesses must ask: What are you doing to minimize access and collection of data? What are you doing to detect intrusions and remediate breaches? "That's a business mindset you have to have. You have to be prepared for the worst," he said.
One indication of the size of the exposure: "Epsilon" emerged as a trending topic on Twitter last night as people tweeted and retweeted about the breach. "May need to create a filter just for notifications about Epsilon's email breach," tweeted Doug Bowman, aka @stop.
Other people expressed surprise over the fact that a company they never heard of had access to their information.
"Who is Epsilon & why was my data exposed to unauthorized entry... Hate when my junk is violated without my consent," tweeted AJ Karim, aka @ajkarim.
On the heels of a fantastic event in New York City, ClickZ Live is taking the fun and learning to Toronto, June 23-25. With over 15 years' experience delivering industry-leading events, ClickZ Live offers an action-packed, educationally-focused agenda covering all aspects of digital marketing. Register today!
Want to learn more? Join us at ClickZ Live San Francisco, Aug 10-12!
Educating marketers for over 15 years, ClickZ Live brings together industry thought leaders from the largest brands and agencies to deliver the most advanced, educational digital marketing agenda. Register today and save $500!
Anna Maria Virzi, ClickZ's executive editor from 2007 until 2012, covered Internet business and technology since 1996. She was on the launch team for Ziff Davis Media's Baseline and also worked at Forbes.com, Web Week, Internet World, and the Connecticut Post.
Gartner Magic Quadrant for Digital Commerce
This Magic Quadrant examines leading digital commerce platforms that enable organizations to build digital commerce sites. These commerce platforms facilitate purchasing transactions over the Web, and support the creation and continuing development of an online relationship with a consumer.
Paid Search in the Mobile Era
Google reports that paid search ads are currently driving 40+ million calls per month. Cost per click is increasing, paid search budgets are growing, and mobile continues to dominate. It's time to revamp old search strategies, reimagine stale best practices, and add new layers data to your analytics.
June 10, 2015
12:00pm ET/9:00am PT