Epsilon e-mail data breach has knock-on effect for several brands
US-based direct marketing firm Epsilon admits that some customer details have been stolen by hackers

US-based direct marketing firm Epsilon admits that some customer details have been stolen by hackers, which security experts say may have serious knock-on effects.



From forensic cyber to encryption: InfoSec17
Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
The incident is one of a growing list of data breaches at US companies, according to reports, including Best Buy, TiVo and Walgreen.
Epsilon says in a statement that a full investigation is underway after the discovery of the breach of some customer client data.
The company says the stolen data is limited to e-mail addresses and/or customer names, and that no other identifiable personal information associated with the names is at risk.
The fact that only names and e-mail addresses were spilled is moderately comforting, but of greater concern is the knock-on effect of this data breach, says Paul Ducklin, head of technology for security firm Sophos in the Asia Pacific region.
Epsilon is a cloud provider of electronic direct marketing services, so a security breach of the Epsilon system is a breach of all its customers' systems, too, he says in a blog post.
Customers urged to be cautious
McKinsey Quarterly, AbeBooks, Lacoste, Marriott Rewards and JP Morgan Chase are among Epsilon's customers and have issued warnings to their customers.
"We have been assured by Epsilon that the only information obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information," McKinsey told customers.
The firm says it is working to confirm Epsilon's claims, but assures customers that no credit card numbers, social security numbers, or other personally identifiable information of users is at risk.
"Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties," the alert said.
McKinsey also warned customers that it would not send e-mails asking for credit card numbers, social security numbers or other personally identifiable information.
"If you are ever asked for this information, you can be confident it is not from McKinsey," the alert said.
Cloud computing security doubts
For customers of these organisations, says Ducklin, losing their e-mail address via a service to which they already belong makes it much easier for scammers to hit with e-mails that match their existing interests, which can make their fraudulent correspondence seem more believable.
This latest breach, he says, also casts doubt on the mantra of cloud computing evangelists that cloud-sourcing high-volume internet services is certain to save money, improve up-time and boost security.
Cloud computing service providers are bound to have experts on the job who are at least as switched on about security as its customers, evangelists argue, but says Ducklin, sometimes, keeping in-house skills and abilities factored in to an organisation's security equation can pay off, especially as a growing number of experts, including MySQL and Sun, RSA, Comodo and Facebook, have recently shown that they do not know everything about security.
Read more on IT risk management
-
Why businesses must think like criminals to protect their data
-
Security Think Tank: Use awareness, education and controls to halt cryptojacking
-
Security Think Tank: Awareness is a good starting point to counter fileless malware
-
Security Think Tank: Human, procedural and technical response to fileless malware
Start the conversation
0 comments