FAQ: Epsilon email breach

While names and emails were exposed, it could have been worse

An email server breach at Epsilon Interactive exposed the names and email addresses of millions of people. The breach is being described as the worst of its kind.

Here's what you need to know:

What happened? Epsilon Interactive last Friday announced that unknown intruders had broken into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers. Epsilon has not disclosed how many accounts in total were exposed in the breach. Some say it is the largest breach ever involving this kind of data, meaning that tens of millions of email addresses were likely compromised.

I've never heard of Epsilon. Why do they have my name and email address? Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven out of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of them before, chances are high that your bank, favorite retailer, or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses.

How did the breach happen? Epsilon has not divulged any details of the breach beyond saying that it was discovered on March 30.

If it's only names and email addresses that were exposed, why is everybody acting so concerned? The Epsilon breach, big as it is, could have been much worse. Right now, the biggest concern is that the stolen email addresses will be used by the intruders to launch sophisticated and highly targeted phishing attacks.

The stolen information will allow scammers to send authentic-looking email messages that appear to come from a bank or other business with whom the user has an existing relationship. The emails will try to trick users into parting with information such as their log-in credentials to their bank or other online account, or it could try and trick them into downloading malware on to their systems. Users that don't fall for such scams should be fine.

Will the stolen information allow the attackers to break into my bank account? No. Only email addresses and names were compromised, not login credentials.

I just received an email from my bank informing me about the breach. What steps do I need to take to protect myself? The first thing to do is relax. The stolen information by itself will not allow the intruders to break into any of your online accounts or to commit identity theft. The main thing to remember is not to respond or follow links in any email that purports to come from your bank or other business asking you to update or validate your account information or to provide other personal details. Such links only take you to a bogus website set up to collect personal data, or to download malware on your system.

Don't respond to emails that threaten to close or suspend your account unless you provide certain personal information immediately. Never send your username and password in response to any email that asks for it, however authentic-looking the email may appear. Legitimate companies do not typically ask for such information in an email.

Should I change my email address? That probably would be the safest thing to do, but it can be a huge hassle. For the moment, the best option is to be extra vigilant in watching for phishing attempts.

What other information, besides names and email addresses, was compromised? So far, Epsilon has only admitted that names and email addresses were compromised in the breach. The company collects and sells a lot of other customer data, but it's not saying if any of that data was exposed in the breach.

Is there a complete list of all the companies affected by the breach? No. Epsilon has not released that yet. But blogger Brian Krebs has complied a (growing) list of the companies that have notified their customers about the breach so far. Close to 50 companies are on that list, including Best Buy, Citibank, Disney, JPMorgan Chase, The Home Shopping Network, Hilton, Marriott and the College Board.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingapplicationssecuritysoftwareMalware and VulnerabilitiescollaborationEnterprise Web 2.0/Collaboration

More about CitigroupEpsilon InteractiveetworkHome Shopping NetworkMorganTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place