Epsilon's Security Breach Exposes Troubling Trend
Hackers intensify attacks on service providers in recent months, seeking to steal customer email addresses and more.
Hackers intensify attacks on service providers in recent months, seeking to steal customer email addresses and more.
“Important message from Target,” read the subject line of the email sent to Target customers Monday. “Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party,” the message stated.
Notes like these were delivered to an undisclosed number customers of an estimated 50 companies, including Target, Chase, Marriott, Walgreens, and Capitol One over the past four days after their email service provider, Epsilon, disclosed that an intruder had accessed its email records.
Epsilon said only email addresses were exposed and not information such as credit card numbers, Social Security numbers, or customer names. Epsilon also said the breach affected 2 percent of its clients.
However, the affected businesses warned their customers to avoid phishing attacks designed to trick them into providing personal information, passwords, and other sensitive information to hackers who may now have access to their email addresses.
Craig Spiezle, executive director at the Online Trust Alliance, said he could not comment specifically about the Epsilon breach. However, he said it represents one of several incidents that could erode public trust in service providers. (The alliance is an industry group that works on behalf of its members to improve trust in e-commerce and other digital services; Epsilon is listed as a member.)
The Epsilon incident, he said, “underscores the importance that we must increase investment in security measures. They are not the first ESP and they probably won’t be the last (to be hacked),” he said.
Advances in email filtering offer some safeguards against fraudsters. “Just having a [customer email] list alone does not mean you can contact a person,” Spiezle said. “The ISPs have mechanisms to detect spam. They can look at an IP address to determine if mail is authentic.”
What’s especially troublesome, he said, is the velocity and sophistication of attacks against service providers – and not just email service providers.
Consider these recent incidents:
– Silverpop, a digital marketing services company, disclosed in December that it was one of several technology providers that were targeted as part of a cyber attack. CEO Bill Nussey, in a blog post, said a quick decision to reset customer passwords halted the attack. “Third-party experts have confirmed that the attack was particularly sophisticated and we are working with customers and industry peers to share what we have learned,” Nussey wrote.
– RSA Security, which develops software and hardware to protect computer networks, said last month that a cyber attacker had stolen information that could potentially reduce the effectiveness of its SecurID two-factor authentication products.
– A hacker tricked Comodo, the developer of anti-virus software, into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other websites, according to a CNET report.
Spiezle’s advice for businesses? “If you are collecting data, you have to assume you will lose it,” he said. Businesses must ask: What are you doing to minimize access and collection of data? What are you doing to detect intrusions and remediate breaches? “That’s a business mindset you have to have. You have to be prepared for the worst,” he said.
One indication of the size of the exposure: “Epsilon” emerged as a trending topic on Twitter last night as people tweeted and retweeted about the breach. “May need to create a filter just for notifications about Epsilon’s email breach,” tweeted Doug Bowman, aka @stop.
Other people expressed surprise over the fact that a company they never heard of had access to their information.
“Who is Epsilon & why was my data exposed to unauthorized entry… Hate when my junk is violated without my consent,” tweeted AJ Karim, aka @ajkarim.