By Mike Lennon on Apr 02, 2011
Due
to the growing list of brands disclosing they've been compromised as a
result of this breach, I’m going to go ahead and tag this as a massive
breach. And I only expect it to get bigger as more announcements come
out from Epsilon customers.
Last night we reported
on a breach at marketing services provider, Epsilon, the world’s
largest permission-based email marketing provider. Initially we wrote
that the breach had affected Kroger, the nation's largest traditional
grocery retailer.
It turns out that Kroger is only one of many customers affected by the breach at Epsilon.
Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases.
SecurityWeek has been able to confirm that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands including the following:
Some
may dismiss the type of data harvested as a minor threat, but having
access to customer lists opens the opportunity for targeted phishing
attacks to customers who expect communications from these brands. Being
able to send a targeted phishing message to a bank customer and
personally address them by name will certainly result in a much higher
“hit rate” than a typical “blind” spamming campaign would yield. So
having access to this information will just help phishing attacks
achieve a higher success rate.
A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed:
As the initial disclosure by Epsilon occurred late in the day on Friday, I expect several more brands to be announcing that they’ve been affected by the breach as well. When asked to comment, Epsilon has refused to provide additional details on what other brands may have been affected.
Plus -
http://www.securityweek.com/epsilon-confused-about-what-personally-identifiable-information-pii
It turns out that Kroger is only one of many customers affected by the breach at Epsilon.
Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases.
SecurityWeek has been able to confirm that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands including the following:
| • Kroger • TiVo • US Bank • JPMorgan Chase • Capital One • Citi • Home Shopping Network (HSN) (added 4/3 @10:22am) • Ameriprise Financial • LL Bean Visa Card • Lacoste • AbeBooks • Hilton Honors Program • Dillons • Fred Meyer • Beachbody (Makers of TRX) • TD Ameritrade • Ethan Allen • Eileen Fisher • MoneyGram • TIAA-CREF • Verizon • Marks & Spencer (UK) • City Market • Smith Brands |
• McKinsey & Company • Ritz-Carlton Rewards • Marriott Rewards • New York & Company • Brookstone • Walgreens (Again!) • The College Board (added 4/3 @8:20am) • Disney Destinations • Best Buy • Robert Half • Target • QFC • bebe Stores • Ralphs • Fry's • 1-800-Flowers • Red Roof Inn • King Soopers • Air Miles • Eddie Bauer • Scottrade • Dell Australia • Jay C |
A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed:
"We recently discovered that one of our third parties’ computer systems was tampered with. Tampering with our systems by an unauthorized person or persons is an illegal act and we reported this incident to a law enforcement agency who is currently investigating this matter. The unauthorized person(s) had access to email addresses and member point balances. They did not have access to member addresses, account logins and passwords, credit card information or other personal data," the spokesperson wrote in an email.Citi also warned customers over Twitter about the incident, Tweeting the following: "Please be careful of phishing scams via email. Statement from Citi for our valued Customers regarding Epsilon & email" with a link to the following statement: "Because e-mail addresses can be used for "phishing" attacks, we want to remind our customers that Citi uses an Email Security Zone in all our email to help them recognize that the email was sent by us. Customers should check the Email Security Zone to verify that email they have received is from Citi and reduce the risk of personal information being 'phished.'"
Correction: The Marriott Rewards spokesperson contacted us on Sunday to correct their initial statement, saying that member point balances were not disclosed after all.
As the initial disclosure by Epsilon occurred late in the day on Friday, I expect several more brands to be announcing that they’ve been affected by the breach as well. When asked to comment, Epsilon has refused to provide additional details on what other brands may have been affected.
Plus -
http://www.securityweek.com/epsilon-confused-about-what-personally-identifiable-information-pii
Epsilon: Confused About What Personally Identifiable Information (PII) Is
By Mike Lennon on Apr 07, 2011
Epsilon’s parent company, publicly traded Alliance Data Systems Corporation (NYSE: ADS), today issued a follow-up statement to the recent massive data breach, but provided little information beyond what the company had already stated in its initial disclosure of the breach.
What’s interesting, however, is that Epsilon continues to claim that no Personally Identifiable Information (PII) was compromised. Being the world's largest permission-based email marketer, I would think that they, more than anyone, would know what PII is AND what can be done with it.
What amazes me is that the subheading of the release dives directly into how no PII was compromised:
It appears to me that Epsilon is a bit confused on the definitions, and what can be done with the personally identifiable that WAS compromised and in the hands of the attackers.
According to Joris Evers, director of worldwide public relations for McAfee, “The bad news is that clever attackers could use what has been breached to gain more information. The Epsilon breach exposes millions of consumer names and e-mail addresses, potentially associated with particular household brands that these consumers do business with. This collection could be a treasure trove for cyberattackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses.”
“While Epsilon is not disclosing the exact number of emails impacted, we’re likely talking about hundreds of millions of exposed email addresses. Because attackers can link these email addresses to banks and retailers the email owner actually does business with, the likelihood of a successful attack is significantly increased,” said Steve Dispensa, PhoneFactor CTO and co-founder. “Phishing emails that appear to come from a person’s bank or a retailer they regularly receive emails from are more likely to be acted upon them. Unfortunately it is very difficult for the average person to distinguish between a dangerous and a safe email. The result is likely an increase in the number of successful phishing attacks over the next few months.”
Josh Shaul, CTO at Application Security, Inc. says people need to pay attention to what is being sent to them. “Everyone should be on high alert that their inboxes will very likely be hit hard with phishing attempts and need to be extra vigilant on what they click on", said Shaul. “To be safe, we might be better off if we just deleted any and all emails that appear to have been sent from breached companies for the immediate future. Epsilon has an estimated 2,500 customers. So far we only know of 50 that were affected. There are likely to be many more and this has the potential to get very ugly, very fast."
Epsilon said that it’s working with Federal authorities, as well as other outside forensics experts, to both investigate the breach and to ensure that any additional security safeguards needed will be promptly implemented.
Epsilon is in an unfortunate situation. As SecurityWeek columnist Terry Cutler recently wrote, “RSA Breach: Not the First, Not the Last,” and just a few weeks later is the first big event since. You can be sure that the Epsilon breach won’t be the last big breach as well.
Maybe financial details aren’t directly in the hands of attackers. That’s a good thing. But the last time I checked, a name was a damn good way to identify someone.
What’s interesting, however, is that Epsilon continues to claim that no Personally Identifiable Information (PII) was compromised. Being the world's largest permission-based email marketer, I would think that they, more than anyone, would know what PII is AND what can be done with it.
What amazes me is that the subheading of the release dives directly into how no PII was compromised:
“Investigation Continues to Confirm Compromise Limited to Email Addresses and Names; No Personal Identifiable Information (PII) Compromised”According to the Guide to Protecting the Confidentiality of Personally Identifiable Information, published by the National Institute of Standards and Technology, examples of PII include:
• Name, such as full name, maiden name, mother‘s maiden name, or alias
• Address information, such as street address or email address
According to Wikipedia, Personally Identifiable Information, when
used in information security, is defined as “information that can be
used to uniquely identify, contact, or locate a single person or can be
used with other sources to uniquely identify a single individual.”It appears to me that Epsilon is a bit confused on the definitions, and what can be done with the personally identifiable that WAS compromised and in the hands of the attackers.
According to Joris Evers, director of worldwide public relations for McAfee, “The bad news is that clever attackers could use what has been breached to gain more information. The Epsilon breach exposes millions of consumer names and e-mail addresses, potentially associated with particular household brands that these consumers do business with. This collection could be a treasure trove for cyberattackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses.”
“While Epsilon is not disclosing the exact number of emails impacted, we’re likely talking about hundreds of millions of exposed email addresses. Because attackers can link these email addresses to banks and retailers the email owner actually does business with, the likelihood of a successful attack is significantly increased,” said Steve Dispensa, PhoneFactor CTO and co-founder. “Phishing emails that appear to come from a person’s bank or a retailer they regularly receive emails from are more likely to be acted upon them. Unfortunately it is very difficult for the average person to distinguish between a dangerous and a safe email. The result is likely an increase in the number of successful phishing attacks over the next few months.”
Josh Shaul, CTO at Application Security, Inc. says people need to pay attention to what is being sent to them. “Everyone should be on high alert that their inboxes will very likely be hit hard with phishing attempts and need to be extra vigilant on what they click on", said Shaul. “To be safe, we might be better off if we just deleted any and all emails that appear to have been sent from breached companies for the immediate future. Epsilon has an estimated 2,500 customers. So far we only know of 50 that were affected. There are likely to be many more and this has the potential to get very ugly, very fast."
Epsilon said that it’s working with Federal authorities, as well as other outside forensics experts, to both investigate the breach and to ensure that any additional security safeguards needed will be promptly implemented.
Epsilon is in an unfortunate situation. As SecurityWeek columnist Terry Cutler recently wrote, “RSA Breach: Not the First, Not the Last,” and just a few weeks later is the first big event since. You can be sure that the Epsilon breach won’t be the last big breach as well.
Maybe financial details aren’t directly in the hands of attackers. That’s a good thing. But the last time I checked, a name was a damn good way to identify someone.
No comments:
Post a Comment