As scope of e-mail hack grows, should you be worried?
As posted on April 4, 2011 on www.cnn.com
(CNN) -- The world's largest "permissions-based" e-mail marketing company, Epsilon, reported late last week that someone hacked into its computer system and stole an unknown number of e-mail addresses and names.
The scope of this breach is potentially huge and has continued to grow over the weekend, with companies like TiVo, JPMorgan Chase and Capital One coming forward to say their customers have been affected. Epsilon reports sending 40 billion e-mails per year on behalf of its 2,500 clients. Reuters calls this potentially "one of the biggest such breaches in U.S. history."
This all sounds fairly terrifying. But the worst that may come of it is a sneakier and more sinister version of spam, security experts say.
Since the hacker, according to Epsilon, lifted only e-mail addresses and names, there's little fear that identities could be stolen and bank accounts drained because of the huge leak of information.
What security experts do worry about, however, is a malicious form of spam called "targeted phishing" or "spear phishing." These terms refer to fake e-mails that try to look real because the scammer knows something about you.
Say you had signed up to receive marketing e-mails from Kroger, which is a major U.S. grocery store chain. If your e-mail address and name were stolen as part of the recent security breach, a scammer, knowing you sometimes get e-mails from Kroger and probably wouldn't be suspicious of them, could design a fake e-mail that looks like it came from Kroger. Such an e-mail might ask you for sensitive information, like a Social Security number or bank account number.
If you divulged that kind of personal data, you could become a victim of identity theft.
"Put on your thinking cap before you give anyone sensitive information like a password or social security number online," writes the blog TechCrunch.
SecurityWeek, which has an up-to-date list of companies it has confirmed are part of this e-mail leak, says this is still cause for alarm.
(List is posted here http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands ,
and includes the following businesses: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network (HSN), Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, Robert Half Technologies.)
"Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands.
"Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher 'hit rate' than a typical 'blind' spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate."
A blogger at Sophos, a security firm, says it's "moderately comforting" that whoever breached Epsilon's system only got names and e-mail.
"Losing your email address to scammers and spammers is likely to mean a surge in spam to your account," Paul Ducklin write on the company's blog.
He adds: "As we've noticed before, carelessness with e-mail addresses isn't a cardinal sin in the data leakage world -- both TripAdvisor and Play.com have owned up recently to similar indiscretions, without any major loss of esteem."
So what should you do? First, take a look at the full list of companies that reportedly have had their data compromised (some of them may have e-mailed you directly over the weekend). If you've signed up to receive e-mails from these companies -- or if you've given them your e-mail address on any official forms -- then your address and name may be part of this leak.
Be skeptical of e-mails that come from these companies and, as tech bloggers report, don't give out sensitive personal information unless you're absolutely sure you're dealing directly with the company and not someone impersonating them.
"Now that they have a list of confirmed e-mail addresses, those spammers and other miscreants will have much better success at targeting their victims," writes the tech blog Mashable.