Epsilon Breach – Stay Informed. Stay Safe. Demand Accountability.

4/27/2011: Medical Info Exposed as a Result of the Epsilon Breach
According to this article by Forbes, major drug company GlaxoSmithKline (apparently also on the list of Epsilon's affected clients) recently sent out a letter to consumers warning them that the breach "may have identified the product website on which [they] registered."

Now, instead spammers sending random people ads for random pills, they can send specifc people ads for specific pills...

4/27/2011: Epsilon pledges to build 'Fort Knox' around breached system
Better late than never – or too little too late? Proactive > Reactive. Enough said.

4/20/2011: Beware of Imitators!
It came to our attention today that someone is now trying to capitalize on the Epsilon Breach incident in the form of a cheap affiliate site selling credit reports.

epsilon-breach.com (note the hyphen) is a bare-bones affiliate page for creditreport.com, and I'd say its owner is clearly more interested in profit than in the best interest of the public.

The epsilon-breach.com site provides nothing other than regurgitated content from other sites and a button to order your "free" credit report. The site's icon is even (deceptively) a padlock, implying that it is somehow secure (though it is not). Additionally, the site has disabled right-clicking, which is always a pretty good sign that someone is trying to hide something.

4/15/2011: A recent post on the Websense security labs blog indicates that there is now at least one confirmed case of a "mock" Epsilon site distributing malware under the guise of a tool called the Epsilon Secure Connect Tool.

The screenshot of the mock page shows that the fake "update" section added to the real Epsilon press release page is written with convincingly-good spelling and grammar – unlike the bulk of the spam/scams which come out of China, Russia, India, etc. – making this one appear that much more credible.

This post from Jerome Segura's Malware Diaries has additional technical details regarding the exploit.

4/14/2011: Would regulation at the registrar or ICANN level drastically reduce the risk of phishing?
I've been thinking about this question for a while since the Epsilon Breach. One fact is for certain: the more credible that a phishing e-mail appears, the more successful it will be.

Many users are savvy enough to float their mouse over a link within an e-mail message and look at the actual URL they'd be taken to. If an e-mail purporting to be from Chase Online is directing them to qxyuiiuz.com, chances are that an astute user will spot this as obviously dubious (even if the phishing e-mail appears well-crafted and genuine in every other respect).

If, however, the e-mail is directing the user to manage.mychaseonline.com, now what? Does Chase own that domain? Maybe... maybe not – but it's certainly harder to judge than qxyuiiuz.com. What does an astute user do? Does he click through? Does he ignore the possibly legitimate email? Does he type the web address in manually? Does he go look up the whois of the domain? Does he call Chase? (Incidentally, mychaseonline.com is listed as a "for sale" domain – owned by Samir Kumar in Bangalore.)

Would some form of regulation – the same regulation that exists amongst .gov, .edu, state domains, etc. – help curb the problem of phishing? When was the last time you ever visited a "fake" .gov, or a fake .edu? Never, I'm sure. Why can't some form of control be put into place, at very least for financial institutions (.bank, anyone?)

Or, how about not allowing domain squatters or any other individual to register domain names suspiciously reminiscent of prominent businesses or financial institutions (especially those outside of their country)? Why does Samir Kumar in Bangalore, India need a domain like mychaseonline.com? Only two possible answers: fraud or profit. Neither one should be allowed.

Control of a widespread problem needs to come from the top. Why have services like Gmail been able to drastically cut down on spam? Because they control the problem at the top (at the mail server level), saving users from ever having to even look at that junk. If the same type of controls existed in the realm of domain registration, perhaps users wouldn't have to sit there and wonder if mychaseonline.com was legit or not – because these types of domains would no longer be available to random individuals.

Incidentally, talks about a .bank domain TLD go back years. Why is it that we now have a .xxx TLD to "shield us" (or promote, depending on your view) from sex sites, yet domains like .bank are nowhere to be found? Priorities, priorities...

4/14/2011: The Better Business Bureau is warning of phishing e-mail received as a result of the Epsilon Breach. The BBB goes on to cite a "Dear client" e-mail received posing as Chase Online. I would still be inclined to think that with customers' names at their disposal, phishers would now be at least replacing "Dear client" with "Dear John Doe" or "Dear John", etc. – but perhaps not.

It's impossible to say for certain whether a "Dear client" e-mail from faux-Chase really is linked to the Epsilon Breach. Had "Dear client" been replaced with an actual and correct customer name, this would be much more certain of a link.

For what it's worth, I have been receiving a lot more spam lately – "newsletter", "Postal Delivery", "Express Delivery"... Again, whether this is a result of the Epsilon Breach or mere coincidence is a matter of speculation. I suppose it is entirely possible that the e-mail addresses leaked by the Epsilon Breach could be used for less malicious folly, such as random spam.

4/12/2011: Hackers Used Keyloggers & Spyware in Epsilon . . . Breaches
You would think that computers which contain the personal data of millions of consumers (and computers which have access to computers which contain the personal data of millions of consumers) would have protective software on them which can't be easily thwarted by run-of-the-mill malware...

...then again, you'd also think that these very same computers wouldn't be manned by someone clueless enough to click on links in random phishing e-mails. Personally, I think I'm more worried about the people responsible for "protecting" our data than the criminals who abuse it. At least with the criminals, you're expecting bad things right from the outset.

4/11/2011: [Epsilon] could face costs and lost sales of $100 million or more
"The estimate by technology analysts is slightly less than 4 percent of the Dallas company's revenue last year . . . [and Epsilon] has said the breach will have a minimal impact on its finances..."

So the impact of a $100m+ loss is "minimal", yet spending the time (and much more minimal amount of money) patching/defending against the four-month forewarned vulnerability which resulted in the breach in the first place... nah, let's not do that... Who made that decision?

The most comical part of the whole thing is that the exploit was "a series of fake-friendly emails with links to malware that would de-activate security software and give the hacker control over the victim's machine". So here we are, with all of our "so what?"-minded experts downplaying the severity of the breach – and downplaying the severity of phishing in general – and what was ultimately responsible for the Epsilon breach? Phishing e-mails. Oh, the irony...

4/9/2011: Have we (i.e., they) not learned anything?
I just received an e-mail from Hilton, one of the clients affected by the Epsilon breach. First mistake: it did not address me by name. I looked over the message header and noticed it came from hiltonemail.com. The whois of hiltonemail.com did not immediately appear to look as if it belonged to Hilton, so I was suspicious. I checked the whois of hilton.com, however, and it was identical to that of hiltonemail.com (though theoretically, this is not a 100% guarantee of authenticity, either).

While it's pretty safe to assume this e-mail is legit, companies – especially those affected by the Epsilon Breach – are going to need to re-evaluate their e-mail campaigns moving forward. If these companies continue to send e-mail which (while legitimate) appears suspicious in any way, they're going to be spending time and money on e-mail campaigns which end up in the trash folder of a growing number of alert, suspicious, and even paranoid users – and I'm one of them.

4/9/2011: Epsilon Apologizes as Search Is On for Data Thieves
I say check Asia – specifically, China and Taiwan. Our web server logs show that other than US-based traffic, the bulk of the traffic to epsilonbreach.com is coming from China and Taiwan (even surpassing Canada and the UK). Curious... as I'm not aware of any Asian clients of Epsilon that have been reported as having been affected by the recent breach (though considering that much of the pre-Epsilon spam and scam e-mail originates from China anyway, this isn't all that surprising). (ed: Add Singapore to the list, as we've seen a large influx of traffic from there, as well).

As for being "sorry", I wonder if Epsilon will put their money where their mouth is. How about putting up some money to help affected users, such as with subscriptions to identity theft protection services or with licenses for anti-phishing Internet security software? The question is: is Epsilon sorry, or just "sorry" ?

4/8/2011: It dawned on me this morning that to date, I have only received a single e-mail notification regarding the Epsilon Breach: the one from 1-800-FLOWERS that I'd written about earlier.

Oddly enough, however, I've also shopped online at Best Buy, L.L. Bean, Target, and Walgreens – all more recently than I'd shopped at 1-800-FLOWERS. Why then have I not received any e-mail notifications from these other companies?

To me, this suggests that more than just names and e-mail addresses may have been leaked – data such as which e-mail addresses were used by which of Epsilon's clients, for example... or perhaps data about when individuals purchased from a given vendor (Epsilon client).

Think about it... If all that was leaked was an entry like John Doe, jdoe@example.com, you'd think that Epsilon would e-mail all of its clients saying something like, "Clients, we are aware that the following customer information was recently leaked: 'John Doe, jdoe@example.com'. If this name and e-mail address matches any customer data within your databases, please be advised that you should warn them about the current situation." Then, John Doe could expect to receive an e-mail notification from every affected vendor that he's done business with online.

However, since it appears that not every individual is being contacted by every affected vendor, one could speculate that perhaps the data breach occurred in batches (and perhaps with additional data in play). Consider the (oversimplified) example of John Doe, jdoe@example.com, 1800flowers.com, 02/14/2005. If this were in fact the data that were leaked, then Epsilon's communication with its vendors may be succinctly different, eg., "1-800-FLOWERS Executive, we are aware that the following customer information was recently leaked: 'John Doe, jdoe@example.com, 1800flowers.com, 02/14/2005'. Please be advised that you should warn them about the current situation."

Regardless, I still feel inclined to ask, What is Epsilon not telling us? I (obviously) feel strongly that Epsilon should be held accountable for what's occurred here, but if it turns out that they've also been lying about the true breadth of the data that was leaked – well, that turns this into a whole new ball game...

4/7/2011: U.S. asked to investigate Epsilon breach
I think this is well-warranted.

4/7/2011: Sources indicate that Epsilon has been aware of the vulnerability behind this attack for some months.

4/6/2011: Is Epsilon Liable for Data Breach?
An attorney chimes in on the issue. How can we be sure, however, that only our names and e-mail addresses have been compromised? Personally, I think Epsilon should be required to provide detailed information as to how they know (or believe) that only this small subset of our personal data was leaked...

I know I've already stressed the point (below), but it still just doesn't sit right in my mind how (or why) "only" our names and e-mail addresses were compromised. First of all, how do they (Epsilon) know this? Do they have traffic logs of the data being taken? Do they have confiscated hardware of the offending parties? Second (and more importantly), why would there exist some form of storage which contains only our names and e-mail addresses – and nothing else? I, for one, am not big at taking a company "at its word" when it comes to issues like this; I'd like to see some proof...

Bruce Schneier says: Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks. So what? ...

Yes, of course. Like everything else, it's always "so what" until you are on the receiving end. It's sad, really, that most of the "so what" attitude comes from experts who are savvy enough to know exactly what e-mail to read, what not to read, how to quickly spot scams, etc. To these folks, "so what" really means, "I won't be scammed, so who cares?" That attitude is entirely rooted in self interest – but what about the average (or below-average) users who can and do get nipped as the result of these scams? I suppose it's still "so what?" to the experts...

4/5/2011: This site is being built to provide the public with information regarding the recent "Epsilon Breach", which resulted in (at very least) the names and e-mail addresses of potentially millions of online shoppers being leaked to unauthorized parties.

(If you're not familiar with the details, simply Google for Epsilon or Epsilon Breach, and you'll find a wealth of information).

Very soon, we will be rolling out areas of the site where the public can report email messages they've received regarding the breach (legitimate or otherwise). This will help to provide a thorough, centralized means of tracking exactly which companies (and users) have been affected by the breach – especially since the true scope of the breach is still unknown at this point. Numerous sites have partial lists of which companies have been sending out notices, but none of these are likely to be exhaustive.

We would also like to see this site become a global petition to companies like Epsilon – and the companies that use their services – to be held accountable for data security breaches such as this. Identify theft, phishing, etc. are rampant problems, and the companies to which we provide our personal information should have a duty to protect both it and us.

I first became aware of the Epsilon Breach after receiving the following e-mail message: A few things about this e-mail jumped right out at me: First of all, I haven't used 1-800-FLOWERS in years. Second, why weren't they addressing me by name, as most e-mails of this nature do (or at least should)? Third, why are the links sending me to 800-flowers.com instead of 1800Flowers.com? I certainly wasn't going to click them to find out...

The first thing I did was to call 1-800-FLOWERS directly. I spoke with one absolutely clueless woman who thought I was calling for an e-mail confirmation regarding an order. After being on hold for five minutes, I was transferred to an almost equally clueless woman. This woman confirmed that they did, in fact, send the e-mail message and that I should "just delete it" (!). I asked what information was leaked, and the woman had no clue. I hung up.

Not entirely satisfied, I looked up the domain ownership of 800-flowers.com, and it turns out that it is, indeed, owned by 1-800-FLOWERS. I then Googled for Epsilon, having never even heard of them, and well, that's how this whole site came to fruition.

So not only was my customer information leaked, but I was told by 1-800-FLOWERS to just delete the warning that was sent out. That's rather dismissive, I'd say – and it's this type of attitude which results in customer data being mishandled in the first place.

One thing that the Epsilon Breach has me curious about is what type of information is really leaked when something like this occurs? Sure, we're quick to hear that "no credit card or financial information" was leaked. In this case, everything I've read points to the belief (theirs, not mine) that only my name and e-mail address were compromised. But am I really supposed to believe this? Do you? Think about it...

When 1-800-FLOWERS (for example) decides to send me an e-mail advertisement to buy more flowers, am I supposed to believe that they have no other "targeting" or personalization data being used (or at least at their disposal) – such as what I've ordered in the past, or for whom, or for what occasions, etc.?

All you need to do is scan your inbox for ads sent by companies from which you've purchased something in the past. Chances are, some of them have used some information about your past purchases to "group" you into a more targeted mailing. It makes sense from a business standpoint, and I don't see anything inherently wrong with it. It does make me curious, however, as to the true scope of the information about me being leaked...

Of course my credit card information wasn't leaked – this is information that's obviously never in any type of mass e-mail ad. However... No other information – at all??? – was leaked along with my name and e-mail address? Not when I was to be mailed, how often, about what products, when I opted in, whether I've opted out, when I opted out, etc.? Not my city, state, zip code, or country for more geographically-targeted ads? (I often receive ads about sales at my local [insert big name] store, don't you?) I don't know about you, but I'm skeptical.

Personally, I get rather offended by the experts who try to downplay the severity of these types of incidents. Social engineering is all-too-common, and the more that someone knows about you (even if it is "just" where you shop, what you buy, etc.), the easier that it becomes to lull you into a false sense of security – and this false sense of security is the root of many social engineering scams.

Stop letting the severity of these types of leaks be downplayed. Start holding companies – and the people behind them – accountable.

If you have something to report, such as how you feel you may have been compromised as the result of the recent Epsilon Breach, please contact us.