The Epsilon Security Breach and Your Business

In April of 2011, there was a good chance that someone in your company received at least one email announcing that their name and email address were compromised when a third party email service called Epsilon was hacked.

July 11, 2011 by Alex Collins

In April of 2011, there was a good chance that someone in your company received at least one email announcing that their name and email address were compromised when a third party email service called Epsilon was hacked.

Who is Epsilon?

Epsilon is the online marketing unit of Alliance Data Systems Corp. which provides third party email campaign services to many corporations.  In early April, Epsilon’s information systems were breached and many individuals’ and corporations’ names and email addresses were exposed.  Because email addresses are not considered personally identifiable information, Epsilon was not required to notify the owners of exposed information—if you received a notification, it came from one of the corporations with which you have shared your email address.

Why it matters

Information security experts are concerned that this recent security breach could lead to a significant increase of unsolicited, malicious emails in your corporate inboxes which could put your organization at risk.  If any of your corporate emails were exposed, you can expect to see an inundation of the following types of malicious content in your company’s email system:
  • Malware that looks like legitimate email is always one of the easiest ways to compromise a single computer or complete corporate information system.
  • Phishing is the technique of sending out unsolicited emails that are disguised to look legitimate.  The goal of phishing is to fool recipients into clicking on hyperlinks that redirect to malicious sites or into revealing personal information.
  • Spear phishing is a more sophisticated phishing technique where the recipient has been specifically targeted in an email because of their job title, employer, vertical market, etc.
  • Social engineering is one of the newest methods used to gain access to information and computer systems.  Often, the contact will occur through email (beware that contact information is now being used in phone calls, texts, and instant messaging, too) when the “scammer” contacts the a person to tell her that “Joe,” the HR manager of her company, has recommended her for some new latest and greatest position/award/etc., in an attempt to gain access to more information for illicit purposes.
 

What to do

Information systems security experts believe that Epsilon’s recent information security breach is just the tip of the iceberg—that data breaches of this nature are likely to become more common in the future, especially as technology advances.  Information security experts recommend that, especially if your company suffered from data exposure, it should take the time to mitigate the potential risks that can be expected from this specific information exposure as well as future potential incidents. Because of the nature of this security breach, businesses need to take a different approach to their information systems security—instead of investing more money in hardware and software, consider spending time to educate staff about malware, phishing, spear phishing, and social engineering scams.  Here is what your business should do:
  • Reeducate staff about information security as well as how to identify malware, phishing, and social engineering attacks.
  • Be vigilant for any unusual inquiries or activities initiated by third parties, especially if any of your corporate email addresses were stolen in the Epsilon (or any other) breach.
  • Change all account passwords on any services that require email addresses as login credentials.  Information security experts strongly recommend that, when possible, alternative login credential methods should be used.
  • Change corporate usernames and emails sot that the username is not part of the email address.  IT security experts suggest that instead of setting up John Smith with the username of JSmith and the email address of JSmith@domain.com, consider changing the email so that the username is not part of the email address.  This simple step can help prevent a hacker from easily identifying logon credentials and gaining access to your corporate information systems.
  • Screen corporate email for spam and viruses before it reaches the mail server by using a third party application such as Postini.
  • Report suspected phishing emails.  Any time that someone in your corporation receives a suspicious email, IT security experts recommend that you contact the service provider from which the email originated.  Most service providers such as MSN, Yahoo, Gmail, etc. provide a service that makes it easy to report phishing attempts.  You can also report phishing to the Secret Service by emailing phishing-report@us.cert.gov.

Learn more

IT security experts believe that the Epsilon breach is representative of the types of cybercrimes from which businesses need to protect themselves.   IT security experts also believe that cybercrimes of this nature are going to occur more often.   To learn more about how to protect your business from data exposure, and other security risks, please contact the IT security experts at All Covered.