Tuesday, June 19 , 2018, 5:51 am | Fair 53º



Epsilon Security Breach to Put Consumers at Risk for More E-mail Scams

Local experts say people need to be on high alert for illegitimate messages, and that legislation is needed to better regulate consumer information

A large-scale security breach at an online marketing firm is likely to result in an increased risk of e-mail scams for millions of people.

Epsilon, which describes itself as the world’s largest permission-based e-mail marketing company, sends more than 40 billion e-mails a year on behalf of large companies. The breach exposed the e-mail addresses of more than 40 of Epsilon’s biggest clients late last week.

Those affected include JPMorgan Chase, Verizon Inc., Capital One Financial Corp., Tivo Inc., Citigroup Inc., Best Buy Co. and Target, among others.

“We have been informed by Epsilon, a provider of Verizon’s e-mail marketing services, that your e-mail address was exposed due to unauthorized access to its systems. Verizon uses Epsilon to send marketing communications on our behalf,” Verizon said in an e-mail to its customers. “Epsilon has assured us that the information exposed was limited to e-mail addresses, and that no other information about you or your account was exposed.”

If criminals can associate e-mail addresses with names, a business such as a bank, or a social network profile, they can target specific people with more convincing e-mails that trick people into disclosing confidential information. It’s a technique known as “spear phishing,” said Bob Gilbert, a UCSB student seeking his Ph.D. in malware defense techniques and a member of the university’s Computer Security Group.

“If I’m a customer of ‘Bank A’ and getting spam from ‘Bank B,’ then I need to change my password. It’s a no-brainer,” Gilbert said. “But when it comes from my bank, the odds I will reply are a little better.”

Andrew Seybold, a globally recognized mobile computing consultant and founder of Andrew Seybold Inc., said hacking is a cat-and-mouse game that will not end anytime soon. Phishing is the least of people’s worries; criminals could use the information to use anyone’s computer as a relay point and send a user’s keystrokes, such as passwords and credit card information, to criminals, he said.

“The most of the worry is that I can now pretend I’m that person sending e-mails, so it looks like a legitimate e-mail,” Seybold said. “One of the hacker’s favorite tricks is once the user opens an e-mail, they put a Trojan (virus) on the computer and use it as a relay point.”

Seybold said he expects that the hackers will sell the list to spam companies, so the level of spam will increase for everyone. He added that the breach demonstrates that there needs to be legislation regulating a better approach to the handling of customer information.

“Right now, things are left to companies to self-regulate. It seems like they are implementing the least amount of security necessary to get the job done,” Gilbert said. “In a breach like this, the customers are first one to feel the pain, and I don’t think that’s right.”

Seybold said corporations need to shrink the number of connections they have to the Internet, because the more connections there are, the more paths people have to steal the information.

“Why is there one central area where Epsilon is storing passwords. Why isn’t this decentralized with more security?” Gilbert said. “All they needed was a single point of failure to get through.”

The more information in one database, the bigger the problem is, said Richard Kemmerer, Computer Science Leadership chair, professor and Computer Security Group director. He couldn’t say how many companies contacted him and his wife regarding the stolen information.

“If you are a customer of one of these banks or air mile places, you could probably read fine print in a contract that said, ‘We may send e-mail information to a third party,’ but who has time to read through fine print?” Kemmerer said. “I don’t think most people were aware of all these companies were using Epsilon, which makes it a bigger problem.”

Although there are certain security requirements for companies holding credit card information, there aren’t such stipulations for databases with e-mails, Kemmerer said. He said he expects to see some sort of legislation follow the breach, such as not being able to send massive amounts of personal information to a third party or not allowing the third party to store them in one place.

“The biggest thing that struck me was how lax was their security? Maybe they were really good hackers, maybe all the reasonable security was in place, I don’t know,” Kemmerer said.

The attack didn’t surprise Gilbert.

“Initially it didn’t seem terribly shocking to me. Based on the business model, it seems almost inevitable this was going to happen,” he said. “You are kind of at the mercy of those on the other end and this case demonstrates that.”

As social networking continues to gain traction and more data are submitted online, one’s online persona is more identifiable, Gilbert said.

“An e-mail address is just one more data point that they have to corroborate,” he said.

Reports of the breach are contradictory. Some say only e-mail addresses were stolen, while others say other personal information was lost. Epsilon did not respond to requests for comment.

Other companies affected include Walgreens, Chase, Ralphs, Bebe, World Financial Network National Banks, L.L. Bean, Hilton Honors, Food 4 Less, Fry’s, Eddie Bauer, Dell Australia, Disney Vacations, Charter Communications and dozens of others.

Krebs on Security, a Web site that specializes in online security and crime, offers these tips to avoid phishing scams:

» Don’t open e-mails if you don’t recognize the sender’s name or domain.

» Take a moment to check that the sender is really the one whose name appears as “From.”

» Don’t click on links in e-mails or open attachments unless you are sure the sender is trustworthy.

» When in doubt, go to the sender’s website by typing the address in your browser bar. Or call the sender — they probably need to know that spam is being sent in their name.

» Your email address should be kept private if possible. Consider using a second or throwaway address if you are required to provide it.

» Be extremely cautious when a website tells you that you need to install an add-on or download of any sort.

Noozhawk staff writer Alex Kacik can be reached at .(JavaScript must be enabled to view this email address). Follow Noozhawk on Twitter: @noozhawk, @NoozhawkNews and @NoozhawkBiz. Become a fan of Noozhawk on Facebook.

Support Noozhawk Today

You are an important ally in our mission to deliver clear, objective, high-quality professional news reporting for Santa Barbara, Goleta and the rest of Santa Barbara County. Join the Hawks Club today to help keep Noozhawk soaring.

We offer four membership levels: $5 a month, $10 a month, $25 a month or $1 a week. Payments can be made through PayPal below, or click here for information on recurring credit-card payments.

Thank you for your vital support.

Become a Noozhawk Supporter

First name
Last name
Enter your email
Select your membership level

Payment Information

You are purchasing:

Payment Method

Pay by Credit Card:

Mastercard, Visa, American Express, Discover

Pay with Apple Pay or Google Pay:

Noozhawk partners with Stripe to provide secure invoicing and payments processing.

  • Ask
  • Vote
  • Investigate
  • Answer

Noozhawk Asks: What’s Your Question?

Welcome to Noozhawk Asks, a new feature in which you ask the questions, you help decide what Noozhawk investigates, and you work with us to find the answers.

Here’s how it works: You share your questions with us in the nearby box. In some cases, we may work with you to find the answers. In others, we may ask you to vote on your top choices to help us narrow the scope. And we’ll be regularly asking you for your feedback on a specific issue or topic.

We also expect to work together with the reader who asked the winning questions to find the answer together. Noozhawk’s objective is to come at questions from a place of curiosity and openness, and we believe a transparent collaboration is the key to achieve it.

The results of our investigation will be published here in this Noozhawk Asks section. Once or twice a month, we plan to do a review of what was asked and answered.

Thanks for asking!

Click Here to Get Started >

Reader Comments

Noozhawk is no longer accepting reader comments on our articles. Click here for the announcement. Readers are instead invited to submit letters to the editor by emailing them to [email protected]. Please provide your full name and community, as well as contact information for verification purposes only.

Daily Noozhawk

Subscribe to Noozhawk's A.M. Report, our free e-Bulletin sent out every day at 4:15 a.m. with Noozhawk's top stories, hand-picked by the editors.

Sign Up Now >

Meet Your Realtor Sponsored by Village Properties

Photo of Elizabeth Wagner
Elizabeth Wagner
"I consider myself to be an up front and honest agent and willing to talk my clients out of purchasing a property that isn’t right for them or won’t meet their needs in a year or two."

Full Profile >