Hackers intensify attacks on service providers in recent months, seeking to steal customer email addresses and more.
"Important message from Target," read the subject line of the email sent to Target customers Monday. "Target's email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party," the message stated.
Notes like these were delivered to an undisclosed number customers of an estimated 50 companies, including Target, Chase, Marriott, Walgreens, and Capitol One over the past four days after their email service provider, Epsilon, disclosed that an intruder had accessed its email records.
Epsilon said only email addresses were exposed and not information such as credit card numbers, Social Security numbers, or customer names. Epsilon also said the breach affected 2 percent of its clients.
However, the affected businesses warned their customers to avoid phishing attacks designed to trick them into providing personal information, passwords, and other sensitive information to hackers who may now have access to their email addresses.
Craig Spiezle, executive director at the Online Trust Alliance, said he could not comment specifically about the Epsilon breach. However, he said it represents one of several incidents that could erode public trust in service providers. (The alliance is an industry group that works on behalf of its members to improve trust in e-commerce and other digital services; Epsilon is listed as a member.)
The Epsilon incident, he said, "underscores the importance that we must increase investment in security measures. They are not the first ESP and they probably won't be the last (to be hacked)," he said.
Advances in email filtering offer some safeguards against fraudsters. "Just having a [customer email] list alone does not mean you can contact a person," Spiezle said. "The ISPs have mechanisms to detect spam. They can look at an IP address to determine if mail is authentic."
What's especially troublesome, he said, is the velocity and sophistication of attacks against service providers - and not just email service providers.
Consider these recent incidents:
- Silverpop, a digital marketing services company, disclosed in December that it was one of several technology providers that were targeted as part of a cyber attack. CEO Bill Nussey, in a blog post, said a quick decision to reset customer passwords halted the attack. "Third-party experts have confirmed that the attack was particularly sophisticated and we are working with customers and industry peers to share what we have learned," Nussey wrote.
- RSA Security, which develops software and hardware to protect computer networks, said last month that a cyber attacker had stolen information that could potentially reduce the effectiveness of its SecurID two-factor authentication products.
- A hacker tricked Comodo, the developer of anti-virus software, into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other websites, according to a CNET report.
Spiezle's advice for businesses? "If you are collecting data, you have to assume you will lose it," he said. Businesses must ask: What are you doing to minimize access and collection of data? What are you doing to detect intrusions and remediate breaches? "That's a business mindset you have to have. You have to be prepared for the worst," he said.
One indication of the size of the exposure: "Epsilon" emerged as a trending topic on Twitter last night as people tweeted and retweeted about the breach. "May need to create a filter just for notifications about Epsilon's email breach," tweeted Doug Bowman, aka @stop.
Other people expressed surprise over the fact that a company they never heard of had access to their information.
"Who is Epsilon & why was my data exposed to unauthorized entry... Hate when my junk is violated without my consent," tweeted AJ Karim, aka @ajkarim.
Join the Industry's Leading eCommerce & Direct Marketing Experts in Chicago
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 4 days and 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda and register by Friday, Oct 3 to take advantage of Early Bird Rates!
Anna Maria Virzi, ClickZ's executive editor from 2007 until 2012, covered Internet business and technology since 1996. She was on the launch team for Ziff Davis Media's Baseline and also worked at Forbes.com, Web Week, Internet World, and the Connecticut Post.
IBM Social Analytics: The Science Behind Social Media Marketing
80% of internet users say they prefer to connect with brands via Facebook. 65% of social media users say they use it to learn more about brands, products and services. Learn about how to find more about customers' attitudes, preferences and buying habits from what they say on social media channels.
An Introduction to Marketing Attribution: Selecting the Right Model for Search, Display & Social Advertising
If you're considering implementing a marketing attribution model to measure and optimize your programs, this paper is a great introduction. It also includes real-life tips from marketers who have successfully implemented attribution in their organizations.
September 17, 2014
September 23, 2014
September 30, 2014
1:00pm ET/10:00am PT