The papers, twitter-sphere and unfortunately my email box are all ablaze this morning about the breach at Epsilon and what it can mean to you. If you are like me, your first reaction may have been “who is Epsilon and why do they have my information?”
Brian Krebs in his Krebs on Security blog has some good background on Epsilon. Among its customers who may have had email addresses stolen are:
- Abe Books
- American Express
- Ameriprise Financial
- Barclays Bank of Delaware
- Capital One
- City Market
- Disney Vacations
- Food 4 Less
- Fred Meyer
- Hilton Honors
- The Home Shopping Network
- Jay C
- JP Morgan Chase
- King Soopers
- Marriott Rewards
- McKinsey Quarterly
- New York & Co.
- Ritz Carlton
- Robert Half
- Smith Brands
- US Bank
How many of these companies do you do business with? Have you received any notices from them yet? Now some may say that it was just email addresses and names stolen, no other personal information, so damage may be minimal. But as Brian points out watch the spear fishing that could ensue from this. Once the bad guys know you bank at Chase, they can target your with a lot more certainty than they could before. You should be extra careful about responding to any requests for information coming to your email address.
But as I said the blog-o-sphere, twitter and the media are all over this story. The reason I wanted to mention it here, is I think this could have a negative impact on the cloud and cloud security. It once again raises the specter of control. Who knew that these respected companies we deal with have given our information out to someone else to store.
Whether it be a cloud service provider or SaaS provider, the idea that our information that we trusted to someone else was compromised will be used as fodder for why we should hesitate moving to the cloud or using a SaaS provider who will be responsible for controlling access to our information.
Further when a provider such as Epsilon gets breached, it is not just one companies records getting breached, but as in this case, many companies getting breached.
This type of incident gives us all a black eye. It will be interesting to see how the industry reacts and how much confidence is shaken. The good news is that if there are not a lot of successful spear phishing attacks, this may pass out of the public eye quickly.
But the lesson should be learned. Other people’s data needs to be handled even more securely than our own!
- Epsilon Informs AbeBooks of E-mail Database Breach (moncurdg.wordpress.com)
- Epsilon email address megaleak hands customers’ customers to spammers (nakedsecurity.sophos.com)
- Epsilon informs of TiVo email database breach (ubergizmo.com)
- Millions warned over substantial email data theft – Telegraph.co.uk (news.google.com)
- Massive Data Breach at Epsilon: How Many Times Was Your Email Address Taken? (spectrum.ieee.org)
- Email Provider Epsilon Responsible For Gigantic Security Breach (mashable.com)
- Who the F#^k is Epsilon and why do they have my information? (ashimmy.com)