Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company. The hack affects a long list of major brands and probably includes some companies that you use.
If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.
No big deal? Maybe, maybe not.
Some security experts think it means more spearfishing attacks on businesses and individuals. Others don't think it is all that big of a deal.
I predict three outcomes and suggest remedies:
First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase. With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack. Be an informed buyer, particularly of items as critical as security technologies.
Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands. I've worked with small businesses that provide services to some of these firms. We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits. If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.
Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:
- Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
- Accounts that depend on your email address might be at risk. Better safe than sorry. I would suggest you change your passwords on those accounts and make sure they are strong passwords.
What impacts to business and personal security do you think will be the aftermath of the Epsilon hack? What fears do you have about how it impacts your business or yourself?