It’s a brave new world for epsilon.com customers

Kris Constable

News broke yesterday of epsilon.com being breached almost a week earlier. While none of us had really heard about them before that, they’ve been reported to send out over 40billion spam emails a year on behalf of over 2,500 clients of theirs. Threatpost has just published a list of known companies affected. It’s unknown how many companies are affected overall, as epsilon.com has not disclosed this, or the details on the breach other than they claim it is being investigated. Clients have been notified from many organizations, for example this email went out to Best Buy customers yesterday:

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

What I find most interesting is the claim that only your email address has been compromised. While this may seem rather innocuous on the surface, when you consider the scale of just Best Buy customers alone, this has the potential for a large phishing attack.

What is worth noting, is that I’ve also seen it reported now that not only email addresses, but full names and amount of reward points has also been disclosed. This is important for two reasons, it means that the earlier claim that only email addresses had been compromised is not true. What is the penalty for an organization providing such false information? Nothing I’m aware of, which essentially motivates organizations to falsify their disclosures, perhaps this should be changed legislatively.

Also, it increases the ability to launch a successful phishing attack, as you’d be more likely to trust someone with such information. For example, if you got an email from Best Buy right now, using your name and email address, and said, “We see you have 44,100 reward points, as a thank you for being such a valuable customer, we’d like to offer you:

ok you get the point. Many people could be vulnerable. How many? We have no idea. Everyone seems to be tight lipped about the breach, so we’re all left speculating.

What can you do?