Jul 27, 2011

Epsilon and the Disappearance of Millions and Millions of Email Addresses

Until recently, most of the general public was totally unfamiliar with a company called Epsilon.  And even if some of us had heard of it, we never would have thought that it would soon become an international focal point.

Epsilon is a firm that manages email-marketing campaigns for large companies.  Managing these campaigns requires massive amounts of information and filtering.  Epsilon makes sure that men don’t get email campaigns about feminine hygiene products, that college students do get ads about pre-planning funerals, and that mothers do get ads about everything having to do with children.  Of course, compiling all that information takes a lot of time and manpower, two resources that large companies usually prefer not to allocate to their marketing departments.  So, they hire companies like Epsilon to do it for them.  Because of this, Epsilon has information about millions and millions and millions of customers, including names and email addresses.

Recently, a group hacked into Epsilon’s servers and pulled personal data on some of those millions of customers.  While Epsilon isn’t talking about how the breach occurred, they are saying that the hackers only got away with email addresses and names.  No banking, financial, or other sensitive information was taken.

If the hacker only got names and email addresses, is this breach even important? Unfortunately, the answer is: yes, it is very important.  One of today’s most common threats to your personal information is phishing attempts, or the process of sending out emails to people and asking them to send back specific information, like financial info or logins for sites causing unsuspecting users to willingly give out their info.

The most troublesome aspect of the breach is that the hackers can use those email addresses and names and mask the sender address so that people think they are getting a personalized email from a reputable company they already do business with.  For instance, a hacker could “mask” an address so it looks like Joey is getting an email from Citibank about his online account, asking for login verification, perhaps even referencing earlier emails that were actually sent by Citibank.  If Joey isn’t careful, he could give out all his banking information – and get phished.

It is difficult to pin down exactly what companies have been affected but here is a list of some of them: JP Morgan Chase, Citibank, 1-800-Flowers, Walgreens, Best Buy, Capital One, Ethan Allen, Target and others.  I think it is fair to say that you or someone you know has gotten a warning from at least one company letting you know about the Epsilon breach.  I got three different emails from three different companies that had used Epsilon informing me about the breach.

The important thing for you to remember is to be very careful about sharing information. For the next few weeks or months, take on a “trust no one” attitude and vigilantly check each email you receive that asks for personal information.  Simply don’t reply via email with any sensitive information.  Instead of clicking on any embedded links, type them into the browser.  If you are suspicious, call the company directly to verify the veracity of the email.

Epsilon may not know who did this, but you don’t need to wait to find out to be safe.

**UPDATE: Attorney General asked to look in to security breach.**