Wednesday, April 6, 2011

Epsilon Data Breach

Nota: Este post está disponible en español.

On March 30th, Epsilon, an online marketing firm, was victim of an attack that resulted in a data breach that affected 2% of their clients. The Company notified their customers on April 1st through a public release announcement where they stated “On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only”. No other information explaining how the attack took place was released.
Some of the Epsilon’s customers known to have been affected so far are: 1-800-FLOWERS, AbeBooks, Air Miles (Canada), Ameriprise Financial, Barclay's Bank of Delaware, Beachbody, Best Buy, Capital One, Chase, Citigroup, Disney Destinations, Hilton Honors program, Home Depot Credit Card, Home Shopping Network, JPMorgan Chase, Marks and Spencer, Marriott, McKinsey Quarterly, Target, TD Ameritrade, TiVo, US Bank and Walgreen's.
Epsilon’s Customers started to notify their own customers of the data breach and remind them that they will not be requesting personal information through e-mails. As an example AbeBooks sent the following e-mail “…As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information”.
What are the risks of this data breach? The attackers have more precise information on names, e-mail addresses and customer’s preferences (hotels, banks, etc.), increasing the chances of a successful targeted Social Engineering attack (such as Phishing). So it is likely that we will see more Phishing activity in the following months. This is why Epsilon’s customers should notify their own customer on the incident and raise the awareness level on these types of attack.


Alliance Data, a parent Company of Epsilon, issued a press release yesterday stating "No personal identifiable information (PII) was compromised, such as social security numbers, credit card numbers or account information. Epsilon is working with authorities and external experts to conduct a full investigation to identify those responsible for the incident while also implementing additional security protocols in its email operations." It is known that the FBI is working on the investigation.


Alliance Data also states that the biggest risk to them and Epsilon is the loss of potential customers. These are the risks that a Company faces when proper security controls are not implemented.  It is not only the value assigned to the asset, but the indirect costs associated with them, like the loss of image or sales between others.


By Agustin Chernitsky

No comments:

Post a Comment