Slashdot Mirror
Epsilon Data Breach Bigger Than Just Kroger Customers' Data
wiredmikey writes with an update to the previously reported Epsilon breach: "It turns out that Kroger is only one of many customers affected by the breach at Epsilon, which sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10, to build and host their customer databases. It has been confirmed that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands, a list which continues to grow ..." An anonymous reader points out that U.S. Bank is on the list of affected companies; I wonder how many more phishing attempts this will mean.
Just got this email:
CollegeBoard.com
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
I got a message from tivo today about this exact type of breach, i guess they use this company also although the email was vague on the name of the company and the reason they had my email to begin with.
Erdos, who never married, would greet the sight of a colleague's toddler by exclaiming, "Aha, an epsilon!" Even an absent-minded mathematician would have realized that you don't put customer data in the custody of an Epsilon.
Usually email marketing databases include a lot more than name and email. They can include identifying demographic info such as home address, sex, age, income, and more to allow for message targeting. Now it's possible that these guys only took names and emails as Kroger and US Bank have announced, but I wouldn't be surprised of Epsilon perhaps underplayed the severity of the breach to their clients.
Airplane Photos, Airline News, Planespotting Guides
One can only hope this sheds some light on the way companies routinely share otherwise personal information without full disclosure. Maybe if enough people see the people see all their information being compromised by 3rd-party affiliates they never heard of they'll realize what's going on. They just don't seem to realize (or care) that just by filling out 1 form and handing it to 1 company, dozens of other partner/contractor/affiliate companies get a copy and will likely keep it forever.
It's even worse when they do it with social security numbers or financial data. My school routinely hands social security numbers to other companies as a way of "minimizing liability" because if something happens then they can blame the contractor, as if that somehow minimizes the risk to students. I see this sort of thing happen all to often and it saddens me.
These people are idiots of outsourcing private information like that... that's why I keep all my customer data on my little notepad, which is.. right... um... around here somewhere... hm... oh well, I'm sure I'll find it eventually.
WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
Data security doesn't matter where the data is located. It matters EVERYWHERE data is located. Incompetency is everywhere.
Standard reply: nothing is foolproof because fools are so ingenioius.
---- Teach Peace. It's Cheaper Than War.
Here is the US Bank email I just got...
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
.... then we're in trouble
I ran into their awful code back in August, when I was trying to sign in for a Sears email special (hey, I need some cheap tools ...)
the page is still there:
http://www.sears.com/shc/s/dap_10153_12605_DAP_Get%20Connected?adCell=WF
It wouldn't validate my password (say ... for example, "ab1cd2ef"), even though it met all the requirements:
"Password must be at least 8 characters, contain at least one number and one character, not start with a number and not contain any
special characters."
so I dug in a little, and found quite a gem of Javascript !
if (/^[a-zA-Z]+[0-9]+[a-zA-Z]*$/.test(oPass.value) == false) {
alert(invalidMsg);
oPass.focus();
return false;
}
it won't handle the two numbers ...
try it ... go to the sears link up there, and try registering with a password like ("ab1cd2de") ... don't worry, it won't work, so your (hopefully fake) email will be safe ...
if you want to see what's happening, have a look at the script.js file, and searh for the function verifyPass() ... ...
you can even see some commented out code of their previous attempts at implementing this basic functionality
I emailed Sears back in August, telling them where the error was, and a simple way to fix the regex used ... but all I got was an "out of office reply"
ah we.. I still managed to register after all, and have bought a few tools on sale ...
Not to argue with your point about the validation, but the chances that Epsilon had anything to do with implementing that Sears.com login page are virtually nil.
Well we know the phishing attempts on PayPal might increase by .000000000000000000000000000000000000000000001%.
My really old email address gets about 50 (about a dozen unique) different PayPal phishing attempts *per day*.
I initially (even though I hate the bastards) did what I thought was the right thing and reported them, but after awhile it was like using a teaspoon to bail the water out of a sinking ship :)
My daughter would not be attending the high-quality, CSS-requiring educational institution she is today without a very hefty financial aid package from that school. Take your stupid and uninformed class warfare crap somewhere else, fella. I'm guessing you're just bitter that you weren't accepted into one of those institutions.
I got this one yesterday:
Dear New York & Company Customer,
Yesterday, we were informed by our email service provider that your
email address was exposed by unauthorized entry into their system. Our
email service provider deploys emails on our behalf to customers who
have opted into email based communications from us. We want to assure
you that the only information that was obtained was your name and/or
email address. Your account and any other personally identifiable
information were not at risk.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We also want to remind you that
we will never ask you for your personal information in an email.
We sincerely regret this has taken place, and we apologize for any
inconvenience this may have caused you. We take your privacy very
seriously, and we will continue to work diligently to protect your
personal information.
Please visit http://faq.nyandcompany.com/ for answers
to some frequently asked questions about this incident.
Sincerely,
New York & Company
You've received this message because you registered to receive
email from New York & Company. If you no longer wish to receive
email from us, or would like to edit your email preferences,
click here.
http://email.nyandcompany.com/p/NYandCompany/OptOut?EMAIL_ADDRESS=nyandcompany_orders@ecuadors.net&
Click here to view our Privacy Policy.
http://www.nyandcompany.com/nyco/company/privacy.jsp?&
New York & Company Corporate Office
450 W. 33rd Street
New York, NY 10001
And this one today:
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.
We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.
We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.
As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.
If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.
Sincerely,
Disney Destinations
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Actually, the signup.aspx is in an iFrame on Sears that is pulled from Epsilon.com. So yes, Epsilon is the coder of the crap. A simple series of Test cases and some Googleing could have fixed that.
I too hate that when you are browsing a site that got something wrong and you try to point out how to fix it, since you are a customer and would like it to work in your browser of choice, and the company totally blows you off. When somebody gives you that detailed of an explanation about your problem, you should listen to them since they probably know what they are talking about. At least give it a try.