Epsilon Data Breach Bigger Than Just Kroger Customers' Data 115
wiredmikey writes with an update to the previously reported Epsilon breach: "It turns out that Kroger is only one of many customers affected by the breach at Epsilon, which sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10, to build and host their customer databases. It has been confirmed that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands, a list which continues to grow ..." An anonymous reader points out that U.S. Bank is on the list of affected companies; I wonder how many more phishing attempts this will mean.
collegeboard.com affected (Score:5, Interesting)
Just got this email:
CollegeBoard.com
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
Re: (Score:3)
Re: (Score:2)
It was Epsilon's systems that were compromised and their whole purpose is to send out subscriber emails. Epsilon was never given any information except what was used to generate those emails: mostly names and email addresses. One exception was the number of "member rewards" points for a company who presumably sends out automated emails with "Hi [your name]! You have [N] rewards points to spend!"
I don't trust that the sensitive information is secure due to extra security around it at Epsilon, but I do trust
Re: (Score:3, Insightful)
Re: (Score:2)
...like the guy that left the tapes unencrypted in the back of his car?
what kind of car?
Re: (Score:2)
Why? Do you think regulations will magically make these companies haxx0r-proof?
Here's what happens with the regulatory process: the companies lobby the shit out of the appropriate politicians and agencies. Regulations are produced. They don't solve much, but now we get a new bureaucracy to handle the regulations. The companies still get cracked, but now they can say "Hey, it wasn't our fault - we followed the regulations."
Happens all day, every day.
Re: (Score:1)
I'm a kroger customer. I use their online ordering stuff to have groceries delivered to my home. Yesterday's post said they had notified customers of the breach by email. I've checked. I've received no such email from Kroger or any related Kroger company about *anything*.
Re: (Score:1)
Re: (Score:2)
This was received by me, 20 hours ago (imagine the address list being used, by Epsilon, to contact ALL their former end-users; not to mention the value to those that possess it now.):
Important information from McKinsey Quarterly
We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.
We have been assured by
nyandcompany.com and disney.com as well (Score:3)
I got this one yesterday:
Dear New York & Company Customer,
Yesterday, we were informed by our email service provider that your
email address was exposed by unauthorized entry into their system. Our
email service provider deploys emails on our behalf to customers who
have opted into email based communications from us. We want to assure
you that the only information that was obtained was your name and/or
email address. Your account and any other personally identifiable
information were not at risk.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We also want to remind you that
we will never ask you for your personal information in an email.
We sincerely regret this has taken place, and we apologize for any
inconvenience this may have caused you. We take your privacy very
seriously, and we will continue to work diligently to protect your
personal information.
Please visit http://faq.nyandcompany.com/ [nyandcompany.com] for answers
to some frequently asked questions about this incident.
Sincerely,
New York & Company
You've received this message because you registered to receive
email from New York & Company. If you no longer wish to receive
email from us, or would like to edit your email preferences,
click here.
http://email.nyandcompany.com/p/NYandCompany/OptOut?EMAIL_ADDRESS=nyandcompany_orders@ecuadors.net& [nyandcompany.com]
Click here to view our Privacy Policy.
http://www.nyandcompany.com/nyco/company/privacy.jsp?& [nyandcompany.com]
New York & Company Corporate Office
450 W. 33rd Street
New York, NY 10001
And this one today:
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.
We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.
We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.
As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.
If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.
Sincerely,
Disney Destinations
Add Ameriprise Financial Services: (Score:2)
Please remember, Ameriprise
And abebooks! (Score:2)
After nyandcompany.com and disney I got an email from abebooks:
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or accoun
Re: (Score:1)
If nothing else, this illustrates that storing data offsite is perfectly safe, and that we should all rush to do this. After all, it's perfectly safe, as the hackers only go after the unimportant stuff. They're nice that way.
Re: (Score:1)
tivo (Score:2)
I got a message from tivo today about this exact type of breach, i guess they use this company also although the email was vague on the name of the company and the reason they had my email to begin with.
Re: (Score:3)
We've got a serious security hole in the Internet that whenever an e-mail needs to be sent, you've got to disclose a destination address to several "why should we trust you?" parties.When you've got a lot to send, you either have to bore yourself setting up a system to get around "You're acting like a spammer" blocks that are different at every ISP or hire this third party that already did that research. When this third party gets hit, everybody's list falls at once.
If only privacy policy violations came wi
Re: (Score:2)
I got a message from tivo today about this exact type of breach, i guess they use this company also although the email was vague on the name of the company and the reason they had my email to begin with.
I got the same message. If my Tivo address is used for spam, it should be reasonably obvious, since I use a unique address for that account.
Re: (Score:2)
Text of Email Message from Tivo:
Dear TiVo Customer,
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information w
Paul Erdos would not have been surprised (Score:2, Funny)
Erdos, who never married, would greet the sight of a colleague's toddler by exclaiming, "Aha, an epsilon!" Even an absent-minded mathematician would have realized that you don't put customer data in the custody of an Epsilon.
Only Names and Emails? (Score:5, Interesting)
Re: (Score:2)
Perhaps you are correct. However, I just got an email from that claims that only my name and email address were compromised. Exactly what data was compromised may depend on the particular company's relationship with Epsilon.
Re:Only Names and Emails? (Score:5, Informative)
This wasn't a marketing company, it was an e-mail delivery service. It takes a lot of work to deliver thousands of customized e-mails to a customer base. To get it right, you have to learn the SMTP acceptance policies of various ISPs, deliver up to the limit, and then back off until the timeout resets.
This just goes to show why you only give database slices away, all they needed was the text of the e-mail with the variable spots included, the name to put in the variable slot, and the address to send it to.
It's a spammer's dream to get this many active e-mail addresses released, but it's not the kind of thing that should cause much damage.
Re: (Score:1)
I beg your pardon, not a marketing company? This is from Epsilon's site: "Epsilon is the world's largest permission-based email marketer." It's the same Epsilon that College Board (and Kroger, and all these other companies) use, I believe. I don't recall *giving* College Board permission to share my e-mail address, name, any information, with any third party other than schools our son wanted to receive his test scores. Is there something implicit in giving that permission that granted them permission to share with third parties, be they marketers or simply e-mail delivery services? Man, when is this cavalier treatment of so many peoples' information, for the sake of corporate profit, going to end?
I think the time has come where privacy policies need to change where 3rd parties are not disclosed as 3rd parties - they should be disclosed by name and not the generic "3rd parties" description.
What is becoming more frustrating, is generally we have no idea of "who or where" our personal information is. It was news to me that Epsilon has my email address - hell back in the ChoicePoint fiasco, I didn't know they had my information.
Has the time for full disclosure regarding who these mysterious 3rd parties
Re: (Score:1)
So this company has an entire database that is secured differently and separately from all of the other databases they have and this one database's purpose is for nothing other than storing first names and email addresses? This seems HIGHLY unlikely. I spell a huge pile of bullshit, here.
Re: (Score:1)
So this company has an entire database that is secured differently and separately from all of the other databases they have and this one database's purpose is for nothing other than storing first names and email addresses? This seems HIGHLY unlikely. I spell a huge pile of bullshit, here.
Your reasoning is sound but the underlying assumption is a poor one; it is trivial and very common to grant access to only parts of a database. The idea that Epsilon only had access to those two pieces of information out of a much larger pool of data is extremely likely.
Re: (Score:2)
One of my accounts also got a message from Brookstone a day or two ago.
Don't trust the Cloud (Score:1)
Re: (Score:1)
One can only hope... (Score:3)
One can only hope this sheds some light on the way companies routinely share otherwise personal information without full disclosure. Maybe if enough people see the people see all their information being compromised by 3rd-party affiliates they never heard of they'll realize what's going on. They just don't seem to realize (or care) that just by filling out 1 form and handing it to 1 company, dozens of other partner/contractor/affiliate companies get a copy and will likely keep it forever.
It's even worse when they do it with social security numbers or financial data. My school routinely hands social security numbers to other companies as a way of "minimizing liability" because if something happens then they can blame the contractor, as if that somehow minimizes the risk to students. I see this sort of thing happen all to often and it saddens me.
Re: (Score:2)
That's probably because it's cheaper to pay out whatever gets stolen and the government doesn't tell them they have to. I'm not sure how much the tokens cost, but last I heard, using chip and pin for credit cards costs somewhere around $40-50 each time they issue a card.
Idiots! (Score:3)
These people are idiots of outsourcing private information like that... that's why I keep all my customer data on my little notepad, which is.. right... um... around here somewhere... hm... oh well, I'm sure I'll find it eventually.
Re: (Score:2)
Any systematically generated (non-random) password suffers from this weakness. Once you figure out the system, all the extra passwords provide no real additional security.
This is why password aging provides no security benefit. When a hacker finds out that I've stopped using the password "loser15" they'll try "loser16" and get in on the next attempt. I imagine that 90% of people with accounts with password aging use such a system, making the aging itself useless.
Another Reason To Distrust The Cloud (Score:2)
Re: (Score:3)
Data security doesn't matter where the data is located. It matters EVERYWHERE data is located. Incompetency is everywhere.
Standard reply: nothing is foolproof because fools are so ingenioius.
Re: (Score:2)
Data security doesn't matter where the data is located. It matters EVERYWHERE data is located. Incompetency is everywhere.
All the more reason to take ownership of your data and to get the best people you can to manage it. Would you trust a complete stranger with your child? Then why should you trust a stranger with your confidential customer data? *If* it really matters you need to *treat it* as if it really matters.
Re: (Score:2)
This isn't really a problem with "the cloud" as much as a "single point of failure" situation. With the magic of delivering thousands of e-mails without being marked as spam being held by a tight few, the major companies have no hope of employing a full-time E-mail Manager, they hire a third party to send the e-mail, and this really popular third party got hit with an intrusion attack. Oops.
US Bank Email (Score:3, Informative)
Here is the US Bank email I just got...
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
US Bank is one of the "big" banks. I use them, and have been very satisfied with their service (well, they get a bit aggressive in trying to sell me more service, but I politely decline, and they stop bugging me).
I got both the TIVO notification and the US Bank notification.
sigh. I will remain diligent, but I suspect that companies will continue to use contractors like Epsilon for all the reasons mentioned. Outbound communication via email is a lot more complicated than just setting up a big SMTP server
if their security is as good as their programmers (Score:5, Informative)
.... then we're in trouble
I ran into their awful code back in August, when I was trying to sign in for a Sears email special (hey, I need some cheap tools ...)
the page is still there:
http://www.sears.com/shc/s/dap_10153_12605_DAP_Get%20Connected?adCell=WF [sears.com]
It wouldn't validate my password (say ... for example, "ab1cd2ef"), even though it met all the requirements:
"Password must be at least 8 characters, contain at least one number and one character, not start with a number and not contain any
special characters."
so I dug in a little, and found quite a gem of Javascript !
if (/^[a-zA-Z]+[0-9]+[a-zA-Z]*$/.test(oPass.value) == false) {
alert(invalidMsg);
oPass.focus();
return false;
}
it won't handle the two numbers ...
try it ... go to the sears link up there, and try registering with a password like ("ab1cd2de") ... don't worry, it won't work, so your (hopefully fake) email will be safe ...
if you want to see what's happening, have a look at the script.js file, and searh for the function verifyPass() ... ...
you can even see some commented out code of their previous attempts at implementing this basic functionality
I emailed Sears back in August, telling them where the error was, and a simple way to fix the regex used ... but all I got was an "out of office reply"
ah we.. I still managed to register after all, and have bought a few tools on sale ...
Re: (Score:2)
I get bitten by incompetent validation fairly often. A password should not be accepted which is too long without throwing an error, and yet often times I set a 20 character password only to find out later that the maximum length is 16 and that they ignored those last 4 characters.
Re: (Score:2)
Not to argue with your point about the validation, but the chances that Epsilon had anything to do with implementing that Sears.com login page are virtually nil.
Re: (Score:1)
Re: (Score:2, Informative)
Actually, the signup.aspx is in an iFrame on Sears that is pulled from Epsilon.com. So yes, Epsilon is the coder of the crap. A simple series of Test cases and some Googleing could have fixed that.
I too hate that when you are browsing a site that got something wrong and you try to point out how to fix it, since you are a customer and would like it to work in your browser of choice, and the company totally blows you off. When somebody gives you that detailed of an explanation about your problem, you should l
Re:what about back-end? (Score:1)
Nice catch on the front-end... now, what happens when you turn off Javascript? Do they use the same regex on the back-end? Do they check on the back-end?
Just curious, as I haven't had time to check for myself...
Re: (Score:1)
They must use a different one, I "forced" the bad password through, and it worked just fine (at least it did 8 months ago)
Re: (Score:1)
if their security is as good as their programmers .... then we're in trouble
This reminds me of the old computer laws I had on a mug in the early '80s... If construction workers built buildings the same way that programmers built programs, the first woodpecker that came along would destroy civilization.
Kroger's doesn't have my1040, college board does (Score:1)
Whether epsilon has more or less info to disclose isnt as worrying as the companies that hire them. Kroger's and Brookstone don't typically have copie of all your financial information. College Board, who also run the financial aid application system for lots of colleges, has copies of 1040s, w2s, assets, etc.
Re: (Score:2)
Whether epsilon has more or less info to disclose isnt as worrying as the companies that hire them. Kroger's and Brookstone don't typically have copie of all your financial information. College Board, who also run the financial aid application system for lots of colleges, has copies of 1040s, w2s, assets, etc.
Whew! All I can say is - thank goodness Epsilon's not in charge of RSA token security! If that got breached we'd be in REAL trouble!
Re: (Score:3)
My daughter would not be attending the high-quality, CSS-requiring educational institution she is today without a very hefty financial aid package from that school. Take your stupid and uninformed class warfare crap somewhere else, fella. I'm guessing you're just bitter that you weren't accepted into one of those institutions.
Re: (Score:2)
Kroger does have quite a bit, if you use their pharmacy, due to all the wonderful regulations.
Not saying that was part of the data they would send to a spam haus, but don't stick your head in the sand that they don't have a lot more data internally.
Would it be wrong to .. (Score:1)
1) Find random email spam list on internet
2) Claim it is the "FAMOUS" list from Epsilon
3) Sell to spammers @ premium rate
4) PROFIT !!!
Get ready for..... (Score:1)
Waitress: Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam;
Vikings: Spam spam spam spam...
Waitress:
Vikings: Spam! Lovely spam! Lovely spam!
Waitress:
PayPal (Score:3)
Well we know the phishing attempts on PayPal might increase by .000000000000000000000000000000000000000000001%.
My really old email address gets about 50 (about a dozen unique) different PayPal phishing attempts *per day*.
I initially (even though I hate the bastards) did what I thought was the right thing and reported them, but after awhile it was like using a teaspoon to bail the water out of a sinking ship :)
Re: (Score:1)
I get a world of warcraft phising attempt once a week. Funny thing is I don't even have an account and have never played the game.
And the store wonder why... (Score:1)
I refuse to give them my private information just to shave a few points off of my shopping bill. How much is your personal private information worth? Quite a lot, apparently...
Re: (Score:2)
Another possible use (Score:2)
Great customer service there, Citibank (Score:2)
From TFA: "Citi also warned customers over Twitter about the incident"
So unless we're members of the twittering classes we're not deserving of notifications when a security breach occurs. Glad I'm not one of Citi's customers.
Re: (Score:1)
Re: (Score:2)
Well, Epsilon is a bit busy right now dealing with the compromise so Epsilon is probably waiting for Citi's check to clear before sending out the notice for Citi that Epsilon was hacked.
Figure out how to get around being called a spammer
Get lot of businesses to pay you for this knowledge
Get hacked.
Profit
Add Disney to the list (Score:2)
Text of e-mail from Disney this morning:
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.
We regret that this incident has occurred and any inconvenience
Fine (Score:2)
Careers (Score:2)
I checked Epsilon's website. There are no IT Security jobs posted. Wonder how long it will be before that changes.
TiVo (Score:2)
TiVo notified me today of the breach.
US Bank (Score:1)
It got fixed the day the new regs took effect, up to that point they w
Epsion, Kroger Loyalty Card Data, etc. Stollen (Score:1)
Best Buy too (Score:2)
Dear Valued Best Buy Customer,
On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.
Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx [geeksquad.com].
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
I like that they turned it into an opportunity to plug Geek Squad as well.