By now, some of you and your customers will have probably received notifications from various vendors regarding the recent compromise of the server run by the e-mail company known as Epsilon. For those of you who are unaware of the events, I will try to summarize.
A company that provides e-mail services to large organizations such as College Board, Citibank, Chase, Best Buy, Target, Kroger, American Express and at least 32 (seven of who are financial institutions) others, was compromised and the e-mail addresses of customers that use these businesses was likely obtained. That condition greatly increases the chance that phishing e-mails could be sent to customers of these businesses by someone other than the company that you had registered your e-mail with.
As a response, most of these companies (who use the Epsilon service) have begun sending notifications out informing individuals of the event and providing recommendations how to avoid being taken advantage of by one of these false e-mails. Over the next few days please take note of these instructions (examples of these notifications are included below). Please caution your customers to not respond to these (or more importantly FUTURE) e-mails (or call any 800 numbers provided) and be even more alert to the content. It is likely some of these false messages will have the appearance of:
“‘Dear Neil, You know about our recent breach we wrote to you about. Please go to our database and confirm your [personal account] information. Signed, Visa.’
Included below are some links to the summaries provided by the various security news outlets.
FAQ: Epsilon email breach
Names and emails were exposed, but it could have been worse
‘We regret to inform you’: The Epsilon breach letters you don’t want to see
Thousands of customers of Marriott, JPMorgan Chase, Walgreens, Capital One, Brookstone, BJ’s, TIVO, Barclays Bank of Delaware, Red Roof and others get the bad news email
On the surface, the massive hack of email service provider Epsilon might seem relatively benign — no credit card accounts, Social Security numbers, or source code were stolen, just millions of email addresses and, in some cases, full names. But security experts say the attack, which affects customers of major retailers and financial institutions, could reverberate for years to come with phishing, spamming, and targeted attacks against individuals and businesses.
UPDATED: The number of companies that was affected by the attack on online marketing firm Epsilon Data Management has continued to grow, virtually by the hour. Many retailers, banks and other firms sent out notification letters to their customers on Monday, and to help you keep track of who’s affected, we’ve compiled a list of known companies victimized by the Epsilon attack.
“We’ll find out more in the days and weeks ahead, but this does appear scary,” said Cohen about the Epsilon breach. “[Criminals] not only have email addresses, but also names, which puts the advantage in the hands of scammers.”
With both, scammers can craft more convincing emails that not only appear to come from the customer’s bank or favorite retailer, but also identify the recipient by name.
“The economics are such that they need only a very, very small percentage of people to fall for a phishing attack to make money,” Cohen said.
And that’s not hard: According to data from SonicWALL’s online phishing quiz, people incorrectly identify fake and legitimate emails 22% of the time.
Examples of legitimate e-mails sent by companies that use the Epsilon Service.
From: Credit Card [mailto:firstname.lastname@example.org]
Sent: Tuesday, April 05, 2011 8:21 PM
Subject: An Important Message Regarding Your Credit Card
|Add email@example.com to your address book to ensure delivery.|
|Your Account: Important Notification|
|Note: This is a service message with information related to your e-mail address.|
|If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.
Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Notice. To request in writing: Chase Privacy Operations, P.O. Box 659752, San Antonio, TX 78265-9752.
JPMorgan Chase Bank, N.A. Member FDIC
From: TIAA-CREF [mailto:firstname.lastname@example.org]
Sent: Tuesday, April 05, 2011 11:30 PM
Subject: An Important Message from TIAA-CREF
|April 5, 2011
TIAA-CREF has been informed by Epsilon, a vendor we use to send emails, that files containing the first names, last names and email addresses of some TIAA-CREF participants were accessed without authorization.
We have not shared any participant account or financial information with Epsilon. So, this incident has not compromised your TIAA-CREF accounts and they remain secure. For your security, however, we wanted to call this matter to your attention.
As always, do not reply to emails asking for your personal information, account numbers or any other type of confidential information. TIAA-CREF will never ask for your personal information or login credentials in an email.
Below are some additional precautions we recommend you follow:
We regret any inconvenience this may have caused and will keep you informed of relevant updates. For more information on TIAA-CREF’s commitment to keeping your personal information secure, please visit: http://www.tiaa-cref.org/public/about/inside/topics/index.html?tc_lnk=bottomutlity&tc_mcid=emepsilon0411.
|Questions or feedback? Contact us directly. Please DO NOT REPLY to this email.
To update your email address or preferences, log in to your account from the TIAA-CREF home page, go to My Profile, then Contact Information and eDelivery Preferences.
Add email@example.com to your address book to ensure that you receive emails from TIAA-CREF.
Concerned about privacy? Read our online policy.
©2011 Teachers Insurance and Annuity Association-College Retirement Equities Fund (TIAA-CREF), 730 Third Avenue, New York, NY 10017.