Still, as hacks go this one looks like a doozy, and perhaps one of the biggest ever. Someone stole a pile of names and email addresses -- it's still not clear how many -- from Epsilon, a marketing firm that sends email ads and promotions on behalf of some 2,500 corporate clients. The government is investigating. Affected are a slew of major banks, retailers, hotels and drugstores, among others.
Here's the message I got this morning from one of those companies, JPMorgan Chase (JPM), also known to yours truly as my bank:
Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure."Everything we know," huh? If you say so, JPM. And it would've been nice to hear about this sooner than two days after Epsilon first disclosed it had been compromised. Data belonging to least 18 companies was stolen, including AbeBooks, Best Buy (BBY), Brookstone, Capital One (COF), Citigroup (C), Home Shopping Network, Kroger (KR), McKinsey, TiVo, US Bancorp (USB) and Walgreen (WAG).
Epsilon says no credit card or social security information was lifted. For now, the danger mostly seems to be that fraudsters could use the email data in waging "phishing" attacks. That's when you get a message that appears to be from a known company requesting personal information. Clicking on an embedded link takes you to a facsimile of the firm's Web site, which in fact is there to collect people's information. That's a real threat, says Security Week's Mike Lennon:
Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher "hit rate" than a typical "blind" spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.The lesson in all this? Same as it ever was -- it's a dangerous world out there, meaning in here on the Internet. Attention will naturally turn, as it should, to what Epsilon could've done to prevent the intrusion. Other online marketing firms will no doubt be checking the locks. But the fact is that for years now hacking has been a fact of life. If you don't want your information stolen, don't give it out.