Wednesday, April 6, 2011

Lemming Tracks: Epsilon Breach, Spam, and Getting a Grip

First, the good news: This could have been worse.

Now, the bad news: Lots of folks may see lots more spam.

What Happened

Quite a few American companies use the same marketing service to handle their lists of customers who don't mind getting emailed advertising.

That means that folks who make online purchases, or use software/services like Intuit's TurboTax, could get email from some crook who wants access to their online identity.

So, as usual: If you get an email saying it's from Intuit - or any other company - that says your safety relies on clicking a link and giving your account numbers, passwords, name, physical address, date of birth, or any other personal information - - - don't.

The Lemming's Advice: Don't be Daft

While the Lemming is handing out useful advice: drinking gasoline isn't good for you, either. Which reminds the Lemming of stupid warning labels - and that's another topic.

They Know EVERYTHING?! - Actually, Not

So, who's affected, and how? Here's what the Lemming's found, along with what the hackers know - and what they don't.
  • Target
    • Names, no
    • Financial information, no
    • email addresses, yes
  • Marriott
    • names, yes
    • Financial information, no
    • email addresses, yes
  • Hilton Hotels
    • Names, yes
    • Financial information, no
    • email addresses, yes
  • JPMorgan Chase & Co
  • Citigroup
  • Capital One
  • Kroger (supermarkets)
  • Walgreen
  • Best Buy
  • TiVo
Is that a comprehensive list? Most likely not: The Lemming didn't spend all that much time, researching this article. More advice from the Lemming: If you're concerned, check with the companies you do business with online. But right now, it looks like more spam is the biggest problem most of us will have.

Epsilon and the companies they served? That's partly why the Lemming isn't sorry to have missed the 'success' career track. Intentionally. Sorting this mess out is going to be a major headache. I the Lemming's opinion.

And Now, the News - and Views

"Tax prep maker warns customers of Epsilon email hack impact"
Gregg Keizer, Computerworld (April 6, 2011)

"Intuit on Tuesday warned its customers to be on alert for identity theft scams after a breach at a major marketing firm put millions of email addresses in hackers' hands.

"Although the maker of the popular TurboTax tax preparation program and the Quicken personal financial software was not among the more than 50 companies whose customer data was stolen, it cautioned users nonetheless.

" 'Intuit is not an Epsilon customer so the information you have entrusted with Intuit is not affected,' the company said in an alert published Tuesday on its site. 'However, Epsilon serves many large organizations including banks, insurance companies and retailers [and] you may have received one or more notices from companies you do business with who are clients of Epsilon.'

"Irving, Texas-based Epsilon Interactive acknowledged last week that attackers made off with customer email addresses and names, but the company has not shared much more information than that....

"...The popularity of tax-related cons may have prompted Intuit's move, said Ed Cohen, vice president of corporate development at SonicWall, a San Jose-based network security company.

"It's certainly the right time of the year for tax scams.

" 'There's actually little correlation between the volume [of tax-oriented schemes] and April 15,' said Cohen, talking about the traditional tax-filing deadline in the U.S. 'We actually see more of an uptick after the 15th, in the May or June time frame, with fake refund notifications....

"...The Internal Revenue Service regularly warns U.S. taxpayers about those and other scams....

"...'The economics are such that they need only a very, very small percentage of people to fall for a phishing attack to make money,' Cohen said.

"And that's not hard: According to data from SonicWall's online phishing quiz, people incorrectly identify fake and legitimate emails 22% of the time.

"Another possibility is that hackers will use a combination of the Epsilon addresses and tax refund scams to try to break into corporate networks....

"...That's how hackers beat the defenses of RSA Security last month, when an RSA employee opened an infected email attachment.

" 'The [fake] messages from the IRS or a bank may not even have money as their direct objective,' said Cohen. 'In the RSA attack, what they really wanted was corporate access. The attackers got through because an employee 'unjunked' an email and opened an attachment, which planted malware.'

"A message claiming that the recipient has a larger-than-expected refund coming would make a perfect vehicle for attacks based on the RSA model, Cohen argued.

" 'They're not always after bank info,' he said. 'These are smart guys. Whether it's tax-related or not, we'll be seeing the Epsilon email addresses being used.' "

That's a longer excerpt than the Lemming generally posts: but there's pretty good information there. And more in the original article.

Bottom line, in the Lemming's opinion? Learn about phishing and how to avoid it; be wary of email that wants you to click a link and/or open an attachment - and check the URLs and email addresses. The Lemming's no expert - but that's a start.
"Massive Security Breach Adds Target, Marriott to Growing List"
Reuters, via (April 5, 2011)

"More U.S. companies, including Target and Marriott International came forward to tell their customers that their names and email addresses had been exposed in a massive online data breach.

"Last week, a computer hacker penetrated the online markeeter[!] Epsilon, which controls the customer email databases for a broad swath of companies, from Citigroup to Walgreen.

"In what could be one of the biggest such breaches in U.S. history, companies from banks and retailers to student-testing organizations have warned customers that some of their electronic information had been compromised.

"The disclosures continued on Monday, as Epsilon indicated that the breach had hit about 50 companies in all. Discount retailer Target and hotel chains Marriott and Blackstone Group LP's Hilton Hotels informed their customers that their names or email addresses had been part of the data breach.

"Epsilon, an online marketing unit of Alliance Data Systems, sends more than 40 billion email ads and offers annually, usually to people who register for a company's website or who give their email addresses while shopping.

"Security experts said the massive data breach should only put customers at risk if they respond to camouflaged emails seeking their credit card and other financial information...."

This is where the Lemming found information for that list of affected firms. There's a link to the original Reuters article at the end of this post - but the piece is pretty much the same, with a bit extra.

Again, this seems to be another of those common-sense 'don't be daft' situations for consumers.

What, No Rant?

The Lemming is of the opinion that Epsilon shouldn't have let their customers' data get hacked. Which, unless Epsilon fixes whatever went wrong - and convinces the companies they do business with that they've done so - is going to be bad for Epsilon.

Target and all are going to have problems, too, in the Lemming's opinion. There's the expense of dealing with a non-routine situation, bad publicity, and possibly fewer customers.

Folks at the Lemming's end of things will be affected, too, sometimes. No 'savvier-than-thou' stuff is coming: although the Lemming is a bit more online-smart than many; this household's systems have had a few problems with malware getting in. It can happen. 'The Lemming's only human?!'

The closest the Lemming will get to a rant is this: If you get an email that says "Valved customer I are concerning you confidential tax farms not safety. Be please to Czech full passwords and other things kink here" - - - don't click on that link. Or Czech that whoever is at the other end has your data.

If they didn't before you clicked the link - they may after you do.

Somewhat-related posts:
In the news:

1 comment:

Brigid said...

The bullet list for "Other" seems incomplete.

The Friendly Neighborhood Proofreader

Unique, innovative candles

Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle online store

Pinterest: From the Man Behind the Lemming

Top 10 Most-Viewed Posts

Today's News! Some of it, anyway

Actually, some of yesterday's news may be here. Or maybe last week's.
The software and science stuff might still be interesting, though. Or not.
The Lemming thinks it's interesting: Your experience may vary.
("Following" list moved here, after Blogger changed formats)

Who Follows the Lemming?


Family Blogs - Blog Catalog Blog Directory