Tuesday, 5 April 2011

Social Engineering: That Epsilon email data breach

Another data breach and scare

News that Epsilon [1], an email marketing service provider had suffered a security breach that involved the loss of data has been received with some angst and the analysis of security of data on corporate systems.

This firm handles the email marketing for quite a number of big names in the US like Target, Chase, Marriott & Tivo referring to the names that came up in the opinion pieces that form my source for this blog.

It is interesting to note that the first article dealt with the matter of Outsourcing email [2]; this is just a matter of responsibility, the data is vulnerable no matter whose system it is on but where the data is hosted in-house, after the fire-fighting and damage control there might be a person or department to take the blame with the possible rolling of heads in mock absolution for faults.

This is a big deal

The second article dwells on the value of an email address [3] but only in reference to the service provider from reputation, through information management to the possible loss of custom – the figures are high but they hardly address the more important point which is how it affects the customer.

Another news story suggests Epsilon sends out [4] over 40 billion emails annually from over 2,500 clients which include 7 of the Fortune 10 companies. This is big business at first and quite a large customer base too.

You’ve got mea culpa mail

In one instance the writer had received an apologetic email from Epsilon and seemingly exculpatory emails from three other organization which whom he had registered for some service that used his email as part of the transactional and interaction process.

Interestingly, even one comment suggested the receipt of emails from organisation they thought they had already cancelled subscriptions to, in effect, cancelling a subscription only stops emails from going out, it does not expunge the host database of the email information.

Where it gets worrisome is that what was exposed to unauthorised access was email addresses and/or customer names.

Proof you exist

There are a number of inalienable facts that derive from this piece of information, the fact that it was on Epsilon systems means there is a likelihood that the addresses are active and where a customer name is attached, it serves enough as a uniqueness identifier just for a spammer to use or purvey and even conduct more extensive searches that can match that information to home addresses and other personal information that could be found online.

This is the equivalent of looking through a telephone directory which probably contains current and valid information to use a service or contact a person.

Over a year ago, my phone number strayed into the hands of scammers in Ghana, one of whom called me at an unholy hour, the moment I answered the call, I had validated the working order of that number and for 5 consecutive days I received calls from different people in Ghana and it was my ignoring the subsequent calls that fed back into that network that it was useless calling me.

Another analogy is the having an email address with a customer name is the equivalent of knocking on a door and knowing there is an occupant of that premises that offers the opportunity for the criminal to watch out for when they might burgle the premises.

Getting familiar

Beyond that, having a customer name allows for the spammer to send friendlier and more familiar type communication that can break down the usual resistance to spam email.

Where the customer has different email addresses with particular ones being used for trusted Internet activity, receiving spam emails on those addresses can be rather irksome.

By the time the customer has been irredeemably spammed even important emails would have ended up in the bin whilst ameliorating acts of changing email addresses can be fraught with unnecessary administrative problems of reviewing all subscriptions, informing all contacts and many other troublesome issues.

The cost to the customer is high and I have in certain instances had to discontinue the use of a service provider just because they were doing nothing to stem the flow of spam.

Remediation is fraught

However, as it stands, there is really no compensation for the inconvenience of the expected deluge of spam from a new set of spam addresses and who because they now have customer names could suggest they have established a relationship with the victims of these criminal activities.

I am saddened that of most the computer press I have read about this data breach have not really addressed this angle of the matter, it is the multitude of customers that give the companies the business they have, they seem to have been forgotten in their face-saving and damage-limitation quests.

Taking care

Customers should beware of phishing email, check that URLs in emails are really from where they purport to come from, never send any personal details to anyone seeking such information via email, at least not before verifying that with the company via a telephone call.

You should never have to share your security number, home address, credit card numbers or personal identity numbers with anyone either by email or on the phone, if in doubt, ignore the email especially if it reads like a threat and if on a phone call, excuse yourself from the call, recompose yourself and call at another time – the taker of your call should never fill you with additional angst and anxiety.

Sources

[1] Epsilon is a subsidiary of Alliance Data - Wikipedia, the free encyclopedia

[2] Outsourcing email: Do the benefits outweigh the risks? | ZDNet

[3] Epsilon data breach: What's the value of an email address? | ZDNet

[4] Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com

No comments: