Massive hack hits US banks and retailers
By Reuters and Nicole Kobie
Posted on 4 Apr 2011 at 08:20
The names and emails of customers of Citigroup and other large US companies were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.
In what could be one of the biggest such breaches in US history, a diverse range of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.
Walgreen, TiVo, credit card lender Capital One and teleshopping company HSN all added their names to a list of targets. JPMorgan Chase, the second-largest US bank, and Kroger, the biggest US supermarket operator, said that some customers were exposed as part of the Epsilon data breach.
Epsilon, an online marketing unit of Alliance Data Systems, said that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion email ads and offers annually, usually to people who register for a company's website or who give their email addresses while shopping.
Some of Epsilon's other clients include Verizon, Hilton Hotels, Kraft Foods, and AstraZeneca.
Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely
"We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorised individual or individuals," HSN, also an ecommerce operator, said in an email to customers.
"This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."
Law enforcement authorities are investigating the breach, though it was unclear how many customers had been exposed. Epsilon is also looking into what went wrong.
"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."
Paul Ducklin, head of technology for Sophos, noted that email address leaks were not seen as a "cardinal sin" among companies, but would lead to an increase in spam to affected accounts.
"Also, losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely," he noted in a blog post. "That, in turn, can make their fraudulent correspondence seem more believeable."
As Epsilon is essentially a cloud-based email contractor, he said firms should take note that moving to the cloud could have security implications, saying "sometimes, keeping your own skills and abilities factored in to your organisation's security equation can pay off".
Play.com was faced with a similar problem, after its email marketing firm leaked customer data last month.
Governments need to get a grip
Seriously, legislation needs to be much tighter than it is now. You give your details to a company and they seem to take ownership of your information and think they can do as they see fit with it. Regulations need to be tightened so that companies must treat your data with respect - not share it, not sell it and store it securely. If I were to take certain information from my employer and allow it into the public domain I would be in serious trouble. If a company takes mine and mislays it...."oops, sorry"
By everton2004 on 4 Apr 2011
Legislation needs to be much tighter
The legistlation is already there. It's called the Data Protection Act. However, the problems are (1) it's not enforced and (2) it doesn't apply to countries outside of the UK.
By Stiggy on 4 Apr 2011
Banks and CR*P
The vendor sends more than 40 billion email ads
If only about 2 Billion people in the world are on line, we know where all the cr*p comes from..
By lenmontieth on 4 Apr 2011
- Huawei Ascend P6 review: first look
- Adobe Illustrator CC review: first look
- Let MPs tell us what they really want ISPs to block
- Adobe Photoshop CC review: first look
- WWDC 2013 and iOS 7 launch: live blog
- Sony VAIO Pro review: first look
- Want child porn blocked? Meet the IWF
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?