Epsilon Data Breach – Threat of spear phishing
May 1, 2011 | By Damon Armour, IT Security Officer, contributing writer
During the last week of March, a marketing firm called Epsilon reported a data breach. Millions of email addresses may have been compromised as part of this breach. There are over 50 major clients of Epsilon affected by the breach. Some of these include 1-800-Flowers, Best Buy, Capital One, Citigroup, Dell, Kroger, Target, U.S. Bank, Verizon, and Walgreens. SecurityWeek has a list of the affected client companies at: http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands
How does this affect me?
With legitimate email addresses being exposed to scammers, there is an increased risk of spam and phishing emails. The more sinister type of phishing, spear phishing, is the greatest risk. Spear phishing is targeted emails that appear to come from a trustworthy source seeking your personal/sensitive information. The FBI’s website has more details on spear phishing at http://www.fbi.gov/news/stories/2009/april/spearphishing_040109.
An example of an email that could be applicable to ASU campus employees is U.S. Bank, the bank that manages our health savings accounts (HSA), emails requesting sensitive information from individuals. ASU employees are also at risk with their personal email accounts tied to these clients of Epsilon. Many financial institutions were affected by this breach. Scammers or hackers could use a spear phishing email to convince unsuspecting individuals to provide their financial institution credentials. This could lead to an increased risk of identity theft and fraud.
The awareness of this incident has also created more fear-associated risks. The Virus Bulletin mentions that scammers have created fake Epsilon websites offering tools to protect an individual’s security. The “security tool” is actually a Trojan horse (malware) that can affect a computer’s performance or steal personal/sensitive information.
What can I do about it?
The best defense is to remain aware and cautious. Most, if not all, reputable businesses will not request personal/sensitive information over email. They will request an individual to log into an online account to update any information or to contact one of their toll-free call centers. Be aware that some phishing emails also include a URL that appears to be legitimate but directs a user to a malicious site. Individuals should only click a link within an email from a known source or if the user is expecting the link. Otherwise, access the account(s) by going through a web browser to the website. If individuals are still not sure of the legitimacy of an email from a business, they should contact that business directly for clarification. The time involved for verification is worth it over the potential loss of your personal/sensitive information.
What happens next?
In recent days, members of Congress have become involved with the Epsilon data breach. Senators Franken and Blumenthal have suggested that future hearings will be involved to understand the scope of the privacy issues faced by U.S. citizens. According to Network World:
This is one of the largest data breaches in history, yet most of the people affected by the Epsilon breach had never heard of that company before this week,” Franken said. “We need to give Americans more awareness about who has their information and greater ability to protect it.
Below is a notice email from U.S. Bank on the Epsilon breach:
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit: http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately. Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.