April 05, 2011, 12:09 PM — On the same day we were absorbing the news that a widespread SQL injection attack against unprotected web sites infected millions of pages but had almost no impact, news broke of a successful attack that took exactly the opposite approach.
Rather than spreading a not-too-effective trap for individual consumers as widely as possible, this attack focused on a site with a huge supply of data that spear phishers could use to target subsequent attacks.
On March 30, someone breached databases at a digital direct-mail service provider named Epsilon, which sends out more than 40 billion commercial email messages every year for legitimate companies – meaning not primarily spammers.
Among the 50 or so Epsilon customers with data taken during the breach are Hilton Hotels, Barclays, Citibank, JP Morgan Chase, Lacoste, Target, Citigroup, Tivo, Walgreens, and Marriott, according to CIO.
Though they are not considered as sensitive or valuable as financial data, email address lists from legitimate companies are considered valuable by phishers because the email addresses on them are pre-confirmed by the companies that owned them.
Email lists bought, stolen, or randomly generated by spammers tend to be a low-quality mix of addresses that are fake, out of date, misspelled, defunct, or belonging to people who might be able to afford a free online forum account but not an overnight stay at the Hilton or shopping trip to Barclays.
Epsilon's customers have already taken care of that, presumably, which is why the breach represents a real security risk rather than just a potential annoyance, according to the consumer advocacy group Coalition Against Unsolicited Commercial Email (CAUCE).