Epsilon logoOn March 30th a major security breach was detected at the Epsilon marketing company, compromising the email lists of some large brand name companies.  While the harvesting of email addresses in and of itself might only lead to increased spam, the nature of these companies could also lead to a massive wave of “phishing” attacks.

The list of companies impacted by the security breach is continuing to grow, but as of this posting the list includes:

  • Brookstone
  • Capital One
  • Citi
  • Disney Destinations
  • Home Shopping Network (HSN)
  • JPMorgan Chase
  • Kroger
  • Marriott Rewards
  • McKinsey & Company
  • New York & Company
  • Ritz-Carlton Rewards
  • The College Board
  • TiVo
  • US Bank
  • Walgreens

phishing attackIn a statement from Epsilon the company stresses that the only information harvested was names and email addresses, but seeing as we know which companies are impacted, there is a good chance that the hackers also know.  This could lead to very targeted attacks to garner more personal information form you, also known as phishing.

Quite often I receive emails purporting to be from a bank that my account has been compromised and I should click a link to correct it.  The problem is, I’ve never had an account with the bank, making it easy for me to discern it’s a phishing attempt.  However, if I receive one from a bank I do have an account with, and they could even theoretically address me by name, then there could be an issue.  Your general rule of thumb should be to never click links in emails, even if they are from a company you trust.  If you get an email that says it’s from your bank, and you need to fix your account, go directly to the banks website and login that way, never do it through a link in an email.

One of the bigger questions I am left asking myself in the wake of this news is why so many companies hire a third-party for something as simple as maintaining a mailing list?  Putting this much customer data in one repository is like painting a huge target on a company.  If each company maintained its own list, a security breach would compromise only their records.  While still potentially risky for consumers, it would still be one isolated company as opposed to 15 and growing.  Companies of this size certainly have the resources to run their own, hiring an outside vendor seems not only risky, but also wasteful.

Double checking emails from companies such as these is always a good idea, but be doubly alert for the time being.

What do you think?  Should large companies being hiring outside vendors to manage sensitive customer data such as this?

[via Security Week]