By Ron Benvenisti. This week’s “worst data breach in history” involved the “pharming” (stealing) of emails from Epsilon, the world’s largest provider of email services to A-list banks, retailers and corporations serving 40 BILLION emails a year. Personal names, email addresses and account information are now in the possession of the crooks who hacked into Epsilon’s huge database of hundreds of thousands of users.
The breach impacts practically everyone who has ever signed up to receive a retail offer or alert through their email account. Epsilon warned that thieves can use the information to launch a major phishing campaign to trick users into disclosing more critical data.
Besides being alert to phishing scams (such as the one regarding the IRS reported by me last week on TLS) now one must be even more vigilant regarding their email from companies they have dealings with as well as those they do not.
Just because you see an email with your full name and correct email address, do not assume it is legitimate, especially after this historical data breach.
While Epsilon states that, “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway,” bear in mind the details of most data breaches are generally not made public. The company legally only has to provide users a warning and with free credit monitoring and perhaps pay a fine.
It is important to keep an even more focused eye on your bank, retail and credit card accounts for any unauthorized purchases from vendors you have dealt with in the past as well as any unknown transactions. Be on the lookout for small transactions, from under $1 to $10 which you did not authorize. Typically fraudsters will test accounts by attempting to authorize small amounts. If successful, they go for the big killing.
Over the next few days, you should be receiving emails from your banks and others you have dealt with in the past, who have been impacted by the breach. You may also receive emails from phishers trying to take advantage of the breach asking for more information to verify if your account information has been compromised. Be on the alert!
Here are just some of the rapidly growing lists of affected companies that have sent out emails as of today:
Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delaware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, Ameriprise Financial, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books, Lacoste.
Again: Be on the lookout for “spear phishing” campaigns using these companies’ names as a front and don’t take the bait. Make sure your security software is up to date. If you feel like you really must open an email from one of these companies, then mouse over the link in the email to see if the domain name matches the company. Check for HTTPS at the beginning of the URL. Even so the URL could be spoofed and without the right tools you have no way of knowing if it’s true or not. In any case, don’t give out sensitive personal information unless you are 100% sure you are dealing directly with the company (which you really cannot). These emails can open the way to identity theft.
Legit emails regarding this breach will be informational only – DO NOT REPLY.
Again check your accounts daily or more to keep an eye on your bank and credit card accounts for any unauthorized purchases from vendors you have dealt with in the past as well as any unknown transactions and notify your bank or retailer immediately.
Ron Benvenisti
i bet the US postal service is enjoying this…!
You can add US Bank to the list of affected companies, I recently got an email from them warning about this exact matter!
Just got an email from Chase..
Target sent me an email so add them to the list.
Thank you Ron. Your articles are very much appreciated and necessary.
Today, Epsilon is in “damage control” spinning some “finesse” by stating only 2% of customers are affected. Well, 2% of 40 BILLION emails is, let’s see, 20 MILLION! What a relief, no?
If you’ve been listening to many commentators since Friday, we’re all going to have our bank accounts cleaned out by next week. Simply not true.
At this point the impacted entities are saying “notifying customers about the incident and warning them not to click links in phishing e-mails are all we really can do.”
Having worked for many of these companies as a security specialist I have always advised my clients that when authenticating transactions they should deploy “backend” fraud monitoring, rather than just authenticating the identity of a person. I submitted a model of such a system in 2003 as a member of the NY Electronic Crimes Task Force (NYPD, DOI, USS, FBI, etc.) which was well received, and was in fact the number one download on one of DHS’ private Law Enforcement portals. Unfortunately the government financial institutions have been slow to take this seriously. They should always assume the customer’s computer or account is already compromised and implement ways to continue business under those circumstances.
If you look at the video in the post about Bob Singer’s Vocational Project, when he is asked to speak, you will hear him admit that his office did not have an IT department at all, and many others do not either, let alone any kind of robust security. They have e-mail, internet and computers but little or no security procedures.
Here’s somethings we all should be doing anyway which will go a long way to prevent us from being victims in the first place:
Get a decent spam filter. Leading filters are tuned to filter out spam from fake banks and faked real banks.
Be much smarter about giving out your email address. Use a special email address for them to contact you. (You can make one up and get it from GMail or Yahoo for free.That way, if spam starts arriving at the unique address you gave to that particular entity, you know that that organization is responsible for leaking your data. Neat trick!
Using unique email “aliases” will help you when the next, inevitable data leak happens. If your bank lets you know about leaked addresses, just change the alias the bank uses in the future. Any email you will then receive at the old alias isn’t legitimate!
In any case:
Here’s the latest updated list: (expect many, many more)
Kroger, JPMorgan Chase, Capital One, Citi, New York & Company, US Bank, Barclays Bank of Delaware, Barclay’s L.L. Bean Visa card, Brookstone, McKinsey Quarterly, TiVo, College Board, Walgreens, Ameriprise, Marriott Rewards, Ritz-Carlton Rewards, Disney Destinations (The Walt Disney Travel Company), Benefit Cosmetics, Homeshoppers Network (HSN), AbeBook, Best Buy, Best Buy Canada Reward Zone, Robert Half International, Borders, City Market, Dillons, Food 4 Less, Fred Meye, Hilton Honors, Jay C, King Soopers, QFC, Ralphs, Smith Brands, Verizon, Visa, AIR MILES Reward Program (Canada), Beachbody, bebe, College Board, Eileen Fisher, Ethan Allen, Lacoste, Red Roof Inn, Target, 1-800-FLOWERS, Ann Taylor, Viking River Cruises, BJ’s Visa, World Financial Network National Bank, Victoria’s Secret card, Express card, Catherine’s card, TripAdvisor.com, TIAA-CREF, TD Ameritrade, Smith Brands, Scottrade, Robert Half International, MoneyGram, Marks & Spencer, Eurosport Soccer, Eddie Bauer Friends, Dell Australia, Charter Communications
My sources tell me the Secret Service is now involved investigating the breach.
On a related matter, the FTC has also sent notices to both private and public entities, including schools and local governments, and the entities contacted ranged in size from businesses with as few as eight employees to publicly-held corporations employing tens of thousands.
Ron Benvenisti
Please thank TLS for allowing me to do my thing…
© ¥ ß ê ® ¢ ø Þ
2% of 40 Billion is 8 million
*800 Million
According to the Epsilon website, they send, on average, 109 million email messages a day.
It seems now that the data lost by Epsilon were more than just names and email addresses. An article in the Wall Street Journal says that Epsilon specializes in things like not sending winter coat ads to someone living in Florida. This means they have more personal information than just names and email addresses, they know where you live, or at least your city, state and zip code. And now, so do the crooks. Epsilon is also involved in loyalty programs, which means they definitely store more than just names and email addresses.
As I reported yesterday about how companies deal with these breaches, Epsilon now says that “they are limited in what they can disclose publicly due to ongoing investigations.”
What does this mean? The threat is now more serious. To use the jargon, it has escalated to what is called “spear-phising”. What’s the difference between regular phishing and spear-phishing? Spear phishing is used by identity thieves trying access your retail, bank and/or credit card accounts. Spear-phishing is a targeted attack aimed at specific individuals rather than huge blasts of messages to random users (phishing).
A spear-phishing email looks like this:
Dear Your Real Name aka YOU,
Victimized Company A has just teamed up with Victimized Company B and Victimized Company C in an expanded triple rewards loyalty program. This exciting new program offers great savings on your favorite products from all three companies. As a valued customer of all three you are eligible to sign up by clicking this link.
Since YOU have a relationship with all three, it looks legitimate.
You must stay vigilant on this threat. Spam blockers won’t catch this because it is not a blast-out but sent only to specific users.
Here’s today’s updated list sorted alphabetically:
1.1-800-FLOWERS
2.AbeBooks
3.AIR MILES Reward Program (Canada)
4.Ameriprise
5.Barclays Bank of Delaware ( Barclay’s L.L. Bean Visa card)
6.Beachbody
7.bebe
8.Best Buy
9.Best Buy Canada Reward Zone
10.Benefit Cosmetics (see below)
11.Brookstone
12.Capital One
13.Charter Communications
14.Citi (Exxon Mobil Card, Home Depot Card, NTB Card)
15.City Market
16.College Board
17.Crucial
18.Dell Australia
19.Dillons
20.Disney Destinations (The Walt Disney Travel Company)
21.Eddie Bauer Friends
22.Eileen Fisher (doesn’t name Epsilon but same template letter)
23.Ethan Allen
24.Eurosport Soccer (Soccer.com)
25.Food 4 Less
26.Fred Meyer
27.Fry’s
28.Hilton Honors
29.Home Shopping Network (HSN)
30.Jay C
31.JPMorgan Chase
32.King Soopers
33.Kroger
34.Lacoste (and as per TG Daily)
35.Marriott Rewards (FAQ on site)
36.Marks & Spencer
37.McKinsey Quarterly
38.MoneyGram
39.New York & Company
40.QFC
41.Ralphs
42.Red Roof Inn
43.Ritz-Carlton (FAQ)
44.Robert Half International
45.Scottrade
46.Smith Brands
47.Target
48.Tastefully Simple
49.TD Ameritrade
50.TIAA-CREF
51.TiVo
52.US Bank
53.Verizon
54.Viking River Cruises
55.Visa (Barclays Bank of Delaware/L.L. Bean Visa, BJ’s Visa)
56.Walgreens
57.World Financial Network National Bank (Ann Taylor, Dressbarn, Express card, Catherine’s, J Crew, Lane Bryant, RadioShack, Sears, The Limited, Victoria’s Secret)
As we say, be careful out there.
© ¥ ß ê ® ¢ ø Þ