Email Data Breach at Texas-based Marketing Company Epsilon Highlights Need for Extensive Security
Hackers gained access to a database full of names and email addresses at a third-party marketing firm working with some of the country's biggest companies late last month.
Among the initial concerns was that personal financial information had been compromised, given that the company - called Epsilon - worked with many major retailers and commercial banks. However, no data of that nature appears to have been released.
Epsilon's clients include Best Buy, Citibank, Capital One, RitzCarlton Rewards, JPMorgan Chase and a host of other firms with a prominent online presence and extensive lists of client email addresses.
Security consultants agree, though, that the acquisition of email addresses associated with bank accounts and online retailers is likely to produce a significant wave of targeted phishing attacks, with scam artists using the information to send bogus support messages asking for important login and password information. Experts urge users to report such efforts and remind them that it's never a good idea to give out sensitive data in response to an unsolicited email.
The company issued a statement in response to the attack, saying that a full investigation into how the breach occurred was under way and that even the large number of affected clients represents just 2 percent of Epsilon's user base.
Epsilon's client list is long enough - and some of the clients themselves large enough - that the number of users affected by the breach is quite large, according to MSNBC.
"Many consumers complained on Monday that they received warning notices about the email leak from multiple companies. Some consumers might not have interacted with the firm for years before Epilson's database was stolen," the news outlet says.
The network reports that Epsilon's primary business is managing the marketing emails of large companies, enabling their IT staffs to focus on other matters while the contractor handles upkeep, list management and complaints about commercial email. Most individuals whose names and addresses are part of Epsilon's lists aren't fully aware they have a relationship with the company, since the only interaction they usually have with the firm is checking a box on some other website that grants permission to collect their email address for marketing purposes.
Experts tell MSNBC that this practice is very common, and even the biggest online companies rarely handle email marketing matters and list management of this type in-house. This allows firms like Epsilon to focus exclusively on such issues and to provide extensive auxiliary services to its clients into the bargain, tracking response rates and a myriad of other data points in order to offer sophisticated analytics and insight into a company's user base.
To avoid being too seriously inconvenienced by this type of incident in the future, PC Magazine says users can set up a dedicated email address for ecommerce and business messages. The possible upcoming wave of malicious spam is likely to be annoying, but - if users scrupulously avoid downloading attachments and clicking on links, as well as follow the aforementioned advice about not divulging sensitive information via email solicitation - they are likely safe from any serious threat of identity theft. Email users who have received a notification about this breach from one or more of the affected brands should be particularly careful.
Organizations whose email users are protected by email security and anti-spam solutions that offer a high level of anti-spam effectiveness are less likely to suffer negative consequences from breaches such as the one at Epsilon. Today’s state-of-the art email security solutions make it possible for users to share their email addresses publicly (for example, on a corporate website or blog) without being inundated by spam.
While Epsilon is taking steps to rectify the problem and prevent it from happening again, experts say businesses looking to take advantage of similar third-party services must do their homework when investigating the security measures on offer, and never trust personal client data to a vendor whose ability to safeguard such information is questionable.