Slashdot Mirror
Epsilon Breach Affects JPMorgan Chase, Capital One
Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?
Trolling is a art,
I haven't gotten any yet, although I have done business with a few. If anything this is a reminder that services like Sneakemail exist for a reason.
if the sender isn't sincere? the notifications are sent because they're required by law, not because they're truly sorry in any shape or form.
ELOI, ELOI, LAMA SABACHTHANI!?
So far, best buy and robert half technology.
I have received these from Best Buy and TiVo so far.
Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Called the company to report a phishing attempt and they said no, it was legit.
I received two this morning. Best Buy and Robert Half. I'm sure there will be more coming. And I wonder what the impact will be. Really, the spam blocker hardware and software technology really do a decent job of reducing the trash.
I'm expecting one from Walgreen's and Marriott soon.
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.
I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.
And yet they retained and leaked my email address.
Can I charge them a $10 monthly fee for spam removal?
__ Someday, but not this morning, I'll finally learn to use the preview button.
I just checked and somebody used my CITI card to buy several new large screen TVs and all sorts of electronic equipment. Guess I'll have to call this in....
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
So far I've gotten two. Best Buy and Home Shopping Network.
I'd forgotten I'd even had accounts there. I wonder what other news of my past I'll be receiving this week.
I am not a crackpot.
They have my email because they are tech headhunters, and I was unemployed a few years back.
Best Slashdot Co
Wasn't stuff like PGP / GPG supposed to solve all of email's problems by allowing people to use real email whitelists? Is there any effort to use public-private keyrings to sign email, so we can simply filter out all the spam that isn't signed by someone we don't know? If we actually used this stuff, they'd just have to revoke their private key (if it was among the data compromised) issue a new one (along with the apology) and be done... the email addresses wouldn't be of much further use to a spammer if people/procmail just ignored unsigned emails.
I'd hate to think that Facebook might become the de-facto replacement for email just because most of the webmail providers don't make it easier to set all that encryption stuff up.
To every one of these I send this reply:
I encourage everyone who receives these apology emails to do the same. Perhaps companies will care about privacy. (Ok, I don't really believe that. But it is a good test to see if anyone actually reads replies to these emails.)
I'm a good cook. I'm a fantastic eater. - Steven Brust
Did they use Epsilon to send out the security alert warning emails?
>Received: from
> by pimta03.epsiloninteractive.com
Looks like it.... Hmmm... what does that say about it?
Disney Destinations, New York & Company, AbeBooks. I'm waiting to see how these addresses (each being a different one of course) will get used. Will it be spam, trojans, nigerian princes or something new and exciting? ;)
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
I received one from Tivo, and I haven't been a customer for over 2 years. I guess they still had my account info stored. It was actually my father's account, but since he doesn't have a computer we used my contact info.
I've only received one from US Bank on April 2 (two days ago). It was the first I had heard of the incident.
People will pass up steak once a week, for crap every day.
I'm certain to receive at least one, which really does little to console me after the years of being spammed by the "legit" holders of my email addresses. This is why we have Gmail junk bucket accounts...
"Why, yes! I do have an email address for your bulletins and offers, it's [...]@gmail.com! (which I check once every blue moon or so)"
A feeling of having made the same mistake before: Deja Foobar
and only found out why on Saturday.
It is useful to let you know that your information has been compromised so you can take any appropriate action. The apology is just extra words, not the purpose of the communication.
Re:How does this happen?
I have received these from Best Buy and TiVo so far.
Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?
Cut costs, take lowest bidder, require no proof of secure measures in place or review of procedures - it's not always incompetence by the peons who build the systems, usually it's incompetence and avarice by those who remove or never hire the sort of positions which oversee data security and integrity.
A feeling of having made the same mistake before: Deja Foobar
When someone asks you "how are you?", you know, just like everybody else, that the question is not sincere. Both you and the questioner expect an answer along the lines of "I'm fine", even if you're on your death bed. Both the question and the answer are merely part of the social protocol; give a token, get a token. It may seem pretty dumb, but it has worked just fine for centuries, and heck, without empty chit-chat what would people talk about?
Arrrrg! Freaking Epsilons! Never send an Epsilon to do Alpha work, I guess.
-- "Oh. This guy again."
Citi hasn't been doing too well on these things recently; they've replaced our cards twice in the last few months.
Outsourcing saves companies money because the outfit that takes the business can achieve better economies of scale -- yeah, they can compromise tens of millions of accounts at once for multiple firms, rather than the measly million or two that would have been screwed otherwise...
Check it out, there's no catch all 'criminal database' full of people's credit cards and PIN numbers. If this was the case, a group could simply use this list to make everyone aware of the impending fraud...
Most 'carding' activity is done via forums and IRC.. where credit card dumps (dumps of the magnetic strip) and numbers/info are SOLD for anywhere from $1-$5 each, depending on the value of the card in question.. and if it's a dump or just information. The dumps can be used to 'write' the information to blank magstrips (other credit cards, hotel key cards) with the right hardware.
The only way these criminals withdrew the money from your account was with your PIN number. The fraud officer was right. You can make purchases without a PIN using the credit aspect of a card, but you CANNOT withdraw money.. You can't even get 'cash back' without using the ATM part of the card. Somewhere along the lines you must've disclosed your PIN number. Can't you contact the establishments where the money was taken (where teh ATM or whatever device was used to obtain the money) they almost universally have cameras on them now.. for the fact that you can say 'that wasn't me' and request a camera shot of the person taking the money out... with that evidence in hand it's usually very easy from there to get the charges removed.
Excuse me, I don't mean to impose, but I am the ocean
.. If the client companies already sold their email lists to various marketing firms?
I use two email addresses, one that I provide to companies that I do business with, and one that I use for personal correspondance and everywhere else online (public forums, etc.). The "business" email has always received much more spam than the one I use and give out liberally everywhere else online. Looks to me like they're just sorry that someone got my email address for free, rather than them being able to sell my address to another one of their "partners".
I can see them going "Let me just store in my little database that "HTH NE1 (675604)" is overly concerned and probably a good spam target for anti-anxiety meds".
Just to be clear: EVERYTHING you post on the net gives someone, somewhere just a little bit of extra information. It all adds up. You've got that one right.
While it all adds up, it's pretty easy to make the weight of many of those pieces negative by putting in false info wherever possible, thus confusing the beast.
- Rusty Shackleford
Only one so far
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Well the email to Best Buy bounced. So yeah, they really don't give a shit to the point where they don't even pretend to accept replies.
I'm a good cook. I'm a fantastic eater. - Steven Brust
I haven't seen Citi mentioned in anything I've read yet, I received an email from them a little while ago:
Dear [Flyers2391],
Recently, Citi was notified of a system breach at Epsilon, a third-party vendor that provides marketing services to a number of companies, including Citi. The information obtained was limited to the customer name and email address of some credit card customers. No account information or other information was compromised and therefore there is no reason to re-issue a new card.
Because e-mail addresses can be used for "phishing" attacks, we want to remind our customers of the following:
* Citi Cards uses an Email Security Zone in all of our email to help you recognize that the email was sent by us. Customers should check the Email Security Zone to verify that the email you received is from CIti and reduce the risk of personal information being "phished". To help you recognize that the email was sent by Citi we will always include the following in the Email Security Zone in the top headline portion of all our emails:
o Your first name and last name
o Last four digits of your Citi card account number
o And recently to increase security, we have added your “member since” date located on the front of your card, where available.
* ThankYou(SM) Rewards always includes your first name, last name, last four digits of your ThankYou Member ID, and Total Available Point Balance in the top headline portion of all our emails to help you recognize that the email was sent by us. Customers should check the top portion to verify that the email they have received is from ThankYou(SM) Rewards and reduce the risk of personal information being "phished".
* More information about phishing is available here: [link]
Yeah, that's the same email I got from Chase
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
If you want to contact Chase, please do not reply to this message, but instead go to Chase Online. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.
Honestly though, I just don't feel myself getting worked up over this stuff (although there are more-serious privacy issues)
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
one from Chase (posted about it in another comment)
one from AbeBooks (one of my occasional used-textbook sources):
Epsilon Informs AbeBooks of E-mail Database Breach
We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.
AbeBooks Newsletter. Copyright © 2011 AbeBooks Inc. Suite 500 - 655 Tyee Road, Victoria, BC, V9A 6X5, Canada. All rights reserved.
If you have any questions, our Customer Support team will be happy to help.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
It is not worth doing business with. Nothing looks cheesier than an email from a financial institution or a law firm that was sent from some crappy third party mail service.
Perhaps the worst one I ever saw was a mass emailing from a group of Seattle patent attorneys trumpeting how serious they were about confidentiality.
They had, of course, just exposed their entire client list to a third party emailer.
Oh, come on now, let's be fair, they're all really quite sorry...
Don't forget, they also "regret this has taken place" in the public eye and "are working diligently... and continue to protect your personal information" by sharing your info with Experian, TransUnion, Equifax, and ChoicePoint every month; along with the occasional publicized data breach. So there you have it, a sorry, a regret, and a things will continue. You can go back to using your accounts and rest assured they are as safe as they ever were. Whatever that means.
Whenever you or I lose a company laptop, violate a contract, disclose a non-disclosure agreement, expose a sealed order, blow the whistle on environmental violations, expose internal corporate corruption, we are harangued, demoted, sued, fined, fired, jailed, or blacklisted. Maybe the difference between being a human and a corporation having the same rights as a person hasn't worked out and is slowly changing?
I actually received an apology from Disney on Apr 3rd ... the first of any message. It wasn't until today that I received messages from three other vendors. Disney seems to be on top of it ... so I wonder why the delay from the other vendors? What's funny though, is Google Mail thought the apology from Disney was spam!
This explains the huge pop I saw in incoming spam to my personal account that started on March 31 and which is continuing.
Yet another reason to avoid Capital One: they sell your email to barely-legal spammers err... "marketing partners" at every opportunity, despite asking for opt-out.
Everybody gets what the majority deserves.
Got my Chase letter. It warns about not sending information by email. Nothing about not clicking on links. In fact, it contains the lines:
The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on "Fraud Information" under the "How to Report Fraud." It provides additional information on exercising caution when reading e-mails that appear to be sent by us.
chase.com is a link!
All a phisher needs to do is send this exact email, pointing to a dummy Chase page, and encourage the victim to log in when he reaches it.
Clearly they are either very stupid or really just don't care. I'll go for the latter.
...if they were willful, intentional, or reckless, and if they weren't, they still owe you $500 if you ask them to disclose to you any personal information disclosures and they don't. In either case, this only applies if you're Californian.
The relevant law is CALIFORNIA CIVIL CODE SECTION 1798.80-1798.84 which you can find here:
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84
(1798.83 and 1798.84 are the most relevant.)
I'm currently (still!) suing TD Ameritrade for covering it up when they were hacked and the names, addresses, SOCIAL SECURITY NUMBERS, etc, of 6.4 MILLION customers were compromised. (See amtd.elvey.com.) ... ...and you can file for an injunction to force them to disclose.
(b) Any customer injured by a violation of this title may
institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation
of Section 1798.83, a customer may recover a civil penalty not to
exceed three thousand dollars ($3,000) per violation; otherwise, the
customer may recover a civil penalty of up to five hundred dollars
($500) per violation for a violation of Section 1798.83..
Make 'em pay! http://Payola.org #include "stddisclaimer
First, all of these companies passed off the task of marketing to Epsilon, then Epsilon had a 'chink' in their armour, and user names and Email addresses were stolen. Sounds to me like the bad guys knew that the best way to get this information was to attack an aggregator such as Epsilon. All of these companies which use aggregators such as Epsilon, are doing something that they should never do without your express permission: divulging your personal information.
The current system of privacy pamphlets being mailed out by companies periodically is a utter joke. There are so many loopholes you can drive the starship enterprise right though them.
We need a centralised 'do not divulge list' which could be an expansion of the current 'do not call list' for telephone numbers. Why not expand it so that you can enter email address, and street addresses. Anything entered on this 'do not divulge list' would be off limits for marketing purposes.
Write your US congresspersons and senators (I did)
Your post-ending comma is going to bother me all day.
-mrxak
Onions Will Kill You
Just got mine from Christin McMeley of Charter Communications. Conspiciously, it didn't really answer any of my questions nor did they provide any contact information other than a generic www.charter.com/security website totally silent on the subject. When I tried to call Charter they had zero clue about it and thought I had been phished and suggested ignoring the e-mail. Reluctantly and with at least 20 minutes of phone tech and manager consternation they transferred me to their privacy department and ended in a voicemail I have zero faith I'll get a call back on. Rather annoyed I decided to find Ms. McMeley directly and totally surprised to find her actual personal phone number via Google and an incident where they had....wait for it.....reported 12 stolen laptops with personnel data in 2008. http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU-157541.pdf And when I called the number...I got Ms. McMeley's cheery voicemail...in her own voice! That alone was great satisfaction to just leave a message...and asked her nicely to give me a call back on this most important issue. I'm still waiting, but cautiously optimistic she or a staffer will call. And if not...I'll persevere until they explain why my data was stolen when I asked them expressly to not share my personal data with anybody. And if that doesn't work wonder if those fine folks at anonymous are busy?