Epsilon e-mail hack: How you can protect yourself

Most of the time I only hear from my credit card companies when I owe them money or when they want to sell me a new service. That's changed; now I'm being bombarded with notes telling me that a company I never heard of has been successfully hacked and these still unknown bad guys now have my name and e-mail address -- and maybe more.

If you've been paying any attention to the news lately, you know I'm talking about Epsilon, a huge outsourcer that sends e-mail of all kinds to customers of major financial services and retailers. Say you get an offer for a new card from Capital One, or for a special vacation deal from Marriott Rewards; that e-mail was actually sent by Epsilon. To do its job, Epsilon stores data about the customers of its customers -- in other words, you and me.

A partial list of companies whose data was compromised (that's the polite term) includes JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, and Walgreens. Larry Ponemon, a security expert interviewed by the New York Times, estimates that thieves obtained the names or e-mail addresses of 100,000 customers at each of 50 clients. No doubt there's overlap in those lists, but that's still millions of people.

Epsilon E-Mail Breach: 4 Unanswered Questions

By and large you're hearing that you shouldn't panic if you get a note from one of your credit card providers saying they've been hacked. That's because Epsilon has stated that only e-mail addresses and names were stolen. By themselves, that's not enough information to obtain really sensitive information like the password to your checking account.

I won't question the truthfulness of Epsilon's disclosure, but I'm not entirely convinced of its accuracy. The really skilled hack is invisible to the victim. But let's assume that all that was stolen was what Epsilon said was stolen. There's still reason to be concerned.

Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911, calls e-mail addresses the "social security number of the digital age." By that he means that many Web sites use an e-mail address as the user name. If that's the case, the hackers are half way into your account simply by knowing your e-mail address. (Remember, they know you're a customer of say, Chase, because that information was stolen from Epsilon.)

It's important to note that hacking has long since ceased to be about juvenile fun and games. Modern hackers are generally out to make money, and often work as part of organized, international gangs. You can be sure that whoever stole that information is hoping to make a substantial profit.

Here are two ways the bad guys may make use of that information, and what you can do to protect yourself.

Spear Phishing Attacks

You've probably heard of phishing. Simply put, that means luring a user to a site that's either a spam advertisement or one that has been infected with malware. It's called phishing because the hackers are fishing for victims. Spear phishing, though, is more insidious. Rather than send out an utterly random email to random victims, the spear phisher targets (or spears) a specific class of people, or sometimes even specific individuals, by using information about them to make the bogus pitch seem genuine.

Spearphishing Worries Follow Epsilon Breach

So if the hackers who broke into Epsilon learned that you have an account at Chase, you might well get an e-mail that looks like it came from Chase. Typically, that type of fraudulent e-mail would ask you to supply some sort of personal data, like your birthday or even a password to "verify" you account info. Often those e-mails are breathlessly urgent, saying that your account will be shut down immediately if you don't respond.

The defense is simple: Ignore e-mails asking you to supply personal information. No reputable company or e-mail provider will ask you for it.

Password Hacking

Guessing someone's password isn't always very hard. As a backup for forgetful users, many sites have so-called security questions, like "the name of my high school was" or "my favorite pet is." As Credit.com's Levin points out, "In the Facebook age, it's not difficult to figure out someone's high school or mother's maiden name." That's a great point.

Levin suggests answering those question prompts with information that's totally unrelated, like: "My pet's name is --- Omaha, Nebraska." But how would you remember that? At the very least, though, make those answers a lot tougher, or even decline to give yourself those hints.

Serious hackers don't sit around guessing your password; they use automated programs to do the hard work. That means you've got to stop using the same password over and over. As bad as it would be to have your checking account hacked, how would you like it if that same password open the door for hackers to access your retirement and investment accounts?

As you've no doubt heard, you should use strong passwords, which means they should be long, have letters, numbers and characters (like % or #) scattered randomly within them. And do not use your birthday or the names of your kids.

Drowning in Passwords: Tips and Tools to Stay Safe and Sane

Of course, you'll never remember those strong passwords, so I suggest using a password manager. I've recommended Roboform in the past and have recently heard good things about Last Pass, though I haven't tried it yet.

When you visit a site and fill in the username and password, the manager will remember them, and fill them in for you the next time you're there. You only have to remember a master password. Some of those programs will even generate a random password for you. Use it; it's likely to be stronger than anything you dream up.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at bill.snyder@sbcglobal.net.

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachEpsilon

More about BillBrookstoneCapital OneEpsilon InteractiveFacebookMorgan

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Snyder

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place