On the same day we were absorbing the news that a widespread SQL injection attack against unprotected web sites infected millions of pages but had almost no impact, news broke of a successful attack that took exactly the opposite approach.
Rather than spreading a not-too-effective trap for individual consumers as widely as possible, this attack focused on a site with a huge supply of data that spear phishers could use to target subsequent attacks.
On March 30, someone breached databases at a digital direct-mail service provider named Epsilon, which sends out more than 40 billion commercial email messages every year for legitimate companies – meaning not primarily spammers.
Among the 50 or so Epsilon customers with data taken during the breach are Hilton Hotels, Barclays, Citibank, JP Morgan Chase, Lacoste, Target, Citigroup, Tivo, Walgreens, and Marriott, according to CIO.
Though they are not considered as sensitive or valuable as financial data, email address lists from legitimate companies are considered valuable by phishers because the email addresses on them are pre-confirmed by the companies that owned them.
Email lists bought, stolen, or randomly generated by spammers tend to be a low-quality mix of addresses that are fake, out of date, misspelled, defunct, or belonging to people who might be able to afford a free online forum account but not an overnight stay at the Hilton or shopping trip to Barclays.
Epsilon's customers have already taken care of that, presumably, which is why the breach represents a real security risk rather than just a potential annoyance, according to the consumer advocacy group Coalition Against Unsolicited Commercial Email (CAUCE).
Epsilon announced the breach April 1, updating it yesterday to note the breach affected about two percent of its clients.
(Epsilon gets props for announcing the breach in a release on its website, rather than just telling its clients and ignoring potential victims among the public, or sending out a press release and then clamming up. Still, the announcement of a major security breach is about a third the length of the announcement a week earlier that it had hired two new execs to lead its retail marketing business. Priorities. )
Epsilon belongs to $2 billion/yearAlliance Data Systems Corp, which runs customer-loyalty programs, retail customer-data-marketing services, and, through Epsilon, direct-email marketing campaigns for "over 2200 global brands such as Hilton Hotels, Verizon, New York & Company, Kraft, KeyBank, and AstraZeneca."
With verified emails, spammers or spear phishers can direct scams at actual customers and, if they put in the extra work to add personal-identity information from personal-data brokers or online-activity records to build more complete profiles of individual consumersin order to target them more specifically.
The breach is a warning to companies that use outside service providers for commercial email and other services, according to a GovInfoSecurity story on the potential liability of companies owning the stolen data.
Email address lists aren't considered as sensitive as financial or medical data, so they tend not to be as tightly secured in encrypted databases or high-security servers.
Big mistake. No matter who lost the list, if a customer gave you the information, they'll hold you liable, according to New York privacy and data security lawyer Lisa Sotto.
Even data that's not covered by HIPAA, CAN-SPAM, COPPA or other federal regulations on personal data, email addresses need to be protected, if only because losing them gives customers the idea you're not nearly as reliable as all your marketing says you are.
That's an impression you can't fix with another online marketing campaign, no matter how many copies of the email you send out to customers.