Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company. The hack affects a long list of major brands and probably includes some companies that you use.
If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.
No big deal? Maybe, maybe not.
Some security experts think it means more spearfishing attacks on businesses and individuals. Others don't think it is all that big of a deal.
I predict three outcomes and suggest remedies:
First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase. With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack. Be an informed buyer, particularly of items as critical as security technologies.
Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands. I've worked with small businesses that provide services to some of these firms. We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits. If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.
Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:
- Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
- Accounts that depend on your email address might be at risk. Better safe than sorry. I would suggest you change your passwords on those accounts and make sure they are strong passwords.
What impacts to business and personal security do you think will be the aftermath of the Epsilon hack? What fears do you have about how it impacts your business or yourself?
If someone learned my e-mail address, it's no big deal. Whoever spams me already knows my e-mail addresses. If they now know what bank is associated with that e-mail, they have the opportunity to target me by specifically leveraging that relationship.
I see that as relatively minor. What I see as a big deal is that my bank shared my e-mail with a 3rd party without me knowing consenting.
Posted by: Michael Janke | 04/05/2011 at 09:35 AM
If someone learned your email addresses AND you are already vigilant about protecting yourself from phishing attacks it is no big deal. A lot of small business people I work with are just learning the skills of phishing protection.
This has the potential to be insidious because in some cases an email associated with a formal name and coming from a trusted business might sneak by even the most paranoid.
Regardless of the chances of an actual exploit from the information taken, it makes a good trigger to do some password maintenance.
You are the first that I've encountered discussing permission and consent. I think you are right. We'll have to see how that bubbles into the story. I wonder how many of us did provide consent that was buried in unreadable online user agreements?
Thanks for the comment.
Posted by: Douglas Davidson | 04/05/2011 at 10:53 AM
Great review. The attack has happened and now people need to react. Changing and updating passwords is a must. Most people use the same password for multiple accounts (including those with $$$ amounts tied to them).
Posted by: MSA ID Protect | 04/05/2011 at 11:42 AM