Bits from Bill Pytlovany: Epsilon lets its customers fix their security failure

billpwp

By Bill Pytlovany

Last week a serious failure in storing names and Email occurred due to a security flaw by a company name Epsilon. This may be the largest failure in protecting names and Email in my lifetime.  Epsilon is trying to downplay this failure by claiming it only lost 2% of its database

epsilon

Even though you’ve never heard of Epsilon by now many of you have received letters from companies who use Epsilon to handle their mass Emailing. What we know to be compromised so far is only your name and Email but hackers will also know which companies you do business with.

So you should expect the following.

1) More Spam
2) More Phishing:
You should expect to see targeted Emails from companies affected by this failure. The Email will appear to come from your bank and they’ll know your name. As I often recommend, DO NOT CLICK on links found in an Email.  Go directly to the company web site and see if there is a problem.

Security researcher Brian Krebs has a partial list of companies affected which he has been updating daily.  Click here and/or scroll down.

    1800-Flowers
    Abe Books
    Air Miles CA
    Ameriprise Financial
    Barclays Bank of Delaware
    Beachbody
    Bebe Stores Inc.
    Benefit Cosmetics
    BestBuy
    Brookstone
    Capital One
    Charter Communications (Charter.com)
    Chase
    Citibank
    City Market
    The College Board
    Crucial.com
    Dell Australia
    Dillons
    Disney Vacations
    Eurosport/Soccer.com
    Eddie Bauer
    Food 4 Less
    Fred Meyer
    Fry’s
    Hilton Honors
    The Home Shopping Network
    Jay C
    JP Morgan Chase
    King Soopers
    Kroger
    LL Bean
    Marks & Spencer (UK)
    Marriott Rewards
    McKinsey Quarterly
    Moneygram
    New York & Co.
    QFC
    Ralphs
    Red Roof Inns Inc.
    Ritz Carlton
    Robert Half
    Smith Brands
    Target
    TD Ameritrade
    TIAA-CREF
    TiVo
    US Bank
    Verizon
    Viking River Cruises
    Walgreens
    World Financial Network National Bank

List updated and maintained by http://krebsonsecurity.com/

So far, Epsilon has been quiet except for the small note above.  They’re letting their customers handle the brunt of this public relations nightmare.

So far I’ve received two Emails but I expect more.

Article continued here

This post is excerpted with Bill’s permission from his blog

(Visited 6 times, 1 visits today)

12 thoughts on “Bits from Bill Pytlovany: Epsilon lets its customers fix their security failure

  1. I’ve started to see a lot of spam. at least 3 at a time. 9 different companies on that list with which we do business.

    Beyond angry, I am.

  2. The Largest Privacy Failure Ever!?
    Yeah, by Epsilon – where the heck did the get the info or the permission for our info and data???

  3. Do you see a pattern here? It must be pretty lucrative to pass client’s addresses along to the SPAM idiots. The so called ‘hacked’ companies can cry wolf.. but it’s really them that gave the addresses away!
    I never never sign up to buy anything online, if I can buy it without having to ‘create an account’, I don’t.

  4. @Susanne What does that have to do with this. All they got was email addresses, not your email password. Episolon wouldn’t have that on file anyway.

    But for anyone who thinks this is just bad because of spam, consider that you can use an email to search for someone on facebook where most people don’t private their info that well. Then using that and the emails “I forgot my password” security questions, get into the email account. You could have a question like Father’s middle name which is relatively easy to figure out with the help of just facebook and whitepages.

    Now they have access to your email accounts and anything linked to them. Your passwords are probability in your emails too since many sites don’t encrypted them and will send them to you as a reminder.
    So even though they say no personally identifiable info was taken, all that a person would need is just the email address itself. I think spam would be the least of your problems if you’re unlucky.

  5. This is old news really.

    I’ve had two emails in the last year or so, one recently from Winamp and one not so long ago from Play.com, both have had the same issues.

    Although I think they kept it quiet.

  6. I’ve received (legitimate) emails from Bank of America and Scottrade warning me of Epsilon’s screwup. So there’s 2 more huge companies to add to the list.

  7. Also Deviantart.com (which may not seem important, but considering they do handle a lot of credit card transactions, it’s more critical than most may realize).

  8. I have had 20+ emails that appear to be from me sent to my contacts (with assorted subjects) These are not in my “sent folder’ at Yahoo.com. I have set up a private code for friends/family to put in subject line of my emails.

Leave a Reply

Your email address will not be published. Required fields are marked *