By now, many of you may have received emails alerting you to a security breach at Epsilon Interactive, an on-line company used by many major corporations to send marketing emails to customers. An outside hacker broke into the Epsilon network and gained access to numerous names and email addresses of their clients’ customers. Major corporations affected include Barclays Bank, Best Buy, Citibank, JP Morgan Chase, Marriott International, Target, Walgreens, Hilton Worldwide, and Disney Destinations, as well as a host of others. If you’ve received one of these emails, you might be wondering how it will affect you. I’ll try to answer that question here.
What Happened
Epsilon specializes in sending bulk marketing emails in the name of their client companies. It takes a certain amount of skill to craft personalized emails in a way that spam filters don’t block them, and this is Epsilon’s claim to fame. They send more than 40 billion emails on behalf of their clients annually to people who have provided an email address to the client company. Although Epsilon isn’t saying exactly what happened, it is clear that someone was able to hack into their network and obtain customer names and email addresses. Epsilon has stated that “approximately 2 percent of total clients” were hit, which would be about 50 companies. To date, Epsilon has not provided a detailed list of those companies, but the ones named above have notified their customers of the breach. Epsilon has made it very clear that the hackers only got names and email addresses, not any financial information. This means the information can’t immediately be used to do anything harmful, other than to send out more spam.
The Risk
Email addresses on their own aren’t all that valuable, but if you can tie a customer’s name and email account to a company they do business with, the problem becomes more serious. A hacker can create a customized email that appears to come from the client company to trick the customer into revealing sensitive information. Suppose, for example, you got an email from your bank encouraging you to sign up for a special offer. All you have to do is click on the link in the email, log into your account, and you’re all signed up. Of course the offer isn’t really from your bank, and the link takes you to a rogue website that captures your login information. Before you know it, the hacker uses it to break into your account and drain it dry.
How to Protect Yourself
The good news is that the stolen information by itself won’t let a hacker do anything harmful. As long as you practice due diligence in opening and reading emails, you should be safe. The first thing to remember is to never provide sensitive information—account names, passwords, social security numbers, etc., in response to an email request. Legitimate companies will never make such a request by email. Also be very cautious about clicking links in emails, and never enter any sensitive information onto a website you arrived at from an email link. Whenever you must enter sensitive information go to the company’s website by manually typing their web address into your browser (once you’ve done this, you can bookmark it for future use).
You may also want to consider investing in a strong spam filter for your email network, even beyond the anti-virus/anti-malware software you should all be using. There are two ways to do this, either by using a Cloud-based service or by using a hardware filter you add to your own network. Cloud-service companies such as AppRiver can filter almost all spam before it even gets into your network, or you can use a hardware email security appliance such as those offered by Barracuda Networks. Either option can significantly reduce the amount of unwanted spam clogging up your network.
Finally, make sure that access to your network is protected by strong passwords. Although we don’t know how the hacker got into the Epsilon network, we do know some of the techniques commonly used. One approach is to use a program that tries to brute-force its way into your network by automatically trying common usernames and passwords. Passwords like “1234” or the word “password” are easily hacked. At TeamLogic IT a new client recently asked us to repair damage to their network caused by a hacker. When we investigated, we discovered the break-in probably occurred because their server password was one of the most common and least secure passwords out there. Don’t let this happen to you.
To learn more about how to protect your network, including how to create strong passwords, read my previous blog entry, Protecting Your Business Against Cyber-Criminals. And if you’d like TeamLogic IT to help improve the security of your network, just visit www.teamlogicit.com.
Notes from Steve - Observations from Off the Beaten Path
