April 12, 2011, 2:10 PM — Earlier this month more than 50 companies were involved in a massive heist of names and email addresses from Epsilon Interactive. With millions of customers of companies such as Best Buy, Brookestone, Dell, Marriott and many others affected, the question is being raised: are so many breach notifications from so many companies numbing their impact?
As for the breach that started it all for Epsilon, it's becoming an all-too common story: employees were spear-phished with emails that linked to a malicious web site, or contained an attachment designed to infect end points with malware. Once a foothold was established, the attackers moved in on what they were after. Such attack techniques have been behind, among many other incidents, the now infamous Operation Aurora and recent RSA Security breach.
The Epsilon breach is relatively tame by breach standards. As far as we know, no Social Security numbers, financial account numbers or even physical street addresses were stolen: only name, email address, and the knowledge of where that customer had a business relationship. What worries experts now is that customers will become targeted themselves by spear-phishing attacks.
Gartner analyst Avivah Litan, told CSOOnline that the banks -- Barclays Bank of Delaware, CapitalOne, Citibank, JPMorgan Chase TD Ameritrade, and others are "freaking out" over the breach.
Now, with a breach that in all likelihood involved millions of notifications, will people pay attention or will they receive so many breach notifications that they tune out?
"The Epsilon breach resulted in many consumers receiving multiple notifications, almost exclusively by email, that systems storing emails may have been compromised and that they shouldn't trust emails. There is a lot of irony in that," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "Then there is the idea of notification fatigue. People get these notices and they wonder what they can do about it. The frank answer is there is nothing they can do about it."
But Rafal Los, security evangelist at HP Software, says the notices have built considerable awareness around the dangers of phishing attacks.