Millions of Emails Exposed in Major Security Breach

Source: MSNBC

By Helen A.S. Popkin

A major security breach exposed countless customer emails for a growing list of companies, including TiVo, JPMorgan Chase, Citi, Capital One, Marriott Rewards, Walgreens and more.

Epsilon, the world's largest permission-based email marketing services company, released a statement reporting an unauthorized entry in its clients' customer database on Friday. Email addresses and customer names were obtained. The list of client databases began with the grocery chain Krogers, but as the investigation continues, more companies are added.

Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases, reports Security Week:


Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.


Read more: http://technolog.msnbc.msn.com/_news/2011/04/03/6402261-millions-of-emails-exposed-in-major-security-breach

---

grr

Who doesn't understand this?

is the point. If I give my email address to a company and they promise not to share it with other companies and then someone steals that list they have violated my trust.

:think:

by a hacker or hackers

Either way: If it's online don't expect privacy. Promises or no.

your information won't be transferred to a third party, but their clipboard is stolen from them and your information goes missing, is that the fault of the person gathering the signatures or the fault of the person who stole them?

It's the same situation.

Blaming the entity who data was stolen from for the theft is rarely the correct action.

stole it from him, I don't think I'm going to blame my neighbor if he took all the common sense steps to protect it. If he didn't buy a lock to put on the door just to save money, that's a different issue

So they cannot "share" this info. with other companies? I always do this.

This thing reeks of a class-action lawsuit IMO! :mad:

:dem: :kick:

This is one of the things have bee doing for the past 40 years. There is no way to make anything attached to the net secure. You are only as secure as your least secure subsystem, how do you determine who to trust?

Once security on a system is breached, it is not possible to return that system to a secured state without completely replacing it. The best you can do is to make an assessment of the risk that undetected compromises remain, and if the risk appears low enough, and the consequences of someone exploiting an undetected compromise are not too high, then it becomes a management decision whether to take the risk and continue operations.

"You are only as secure as your least secure subsystem, how do you determine who to trust?"

No, it is not like in the movies, just because someone might get access to one system it does not mean they will be able to access any other.

"Once security on a system is breached, it is not possible to return that system to a secured state without completely replacing it."

No. System security is not some integral part of a system, it is not like programs and their security are one large string of code. Security is a separate bunch of programs from the system it protects. It can be removed and replaced or even improved at any time (and often is, upgrades happen all the time).

"The best you can do is to make an assessment of the risk that undetected compromises remain, and if the risk appears low enough, and the consequences of someone exploiting an undetected compromise are not too high, then it becomes a management decision whether to take the risk and continue operations."

This can be said of any security system of any type, from a bank vault to computer security to any other security. Does it plan for every last possibility? Probably not, that sounds like a pretty unrealistic thing to expect.

In other words, the more secure you think your system, the less secure it probably is. If you think it possible to have a highlysecure system on the internet, you probably are not aware of many of the threat types.

Typical computer security features are like having locks on the doors of your home -- They help honest people remain honest people. A building security system that requires swiping a card plus entering a keypad code provides little security if people leaving the building are likely to hold the door for someone entering it, even those lacking authorization to enter the building.

In several of the recent incidents, the access gained to internal systems after the initial breach actually looked a lot like in the movies.

BTW W.O.P.R has learned some new games.

Would you like to play a game of Global Economic Meltdown?

Or would you rather play "I've got your secrets"


I should clarify that not only have I been doing computer and network security for over 40 years, but much of it has been at fairly high levels, from Multics and The Orange Book to NASA JSC, SCADA and S.P.I.D.E.R control systems to real-time global financial systems, and a lot more.

I know what I am talking about, have discussed on DU with increasing levels of alarm how vulnerable we are and how immense the perils we face, and my frustration and anger at those who got us into this mess in spite of all our warnings. Several recent incidents have me very alarmed, not quite to panic. Today, I keep having flashbacks to the Cuban Missile Crisis. Not good.

The hack on RSA is a good example of a multi-stage attack and once breached, not to be trusted. Unfortunately, this time it impacts almost everyone because RSA supplies SecurID and other widely-used services at the very heart of authentication, cryptography, trusted systems, etc. We really don't know how really bad this could be. Make sure to read the comments, too.

http://forums.theregister.co.uk/forum/1/2011/04/04/rsa_hack_howdunnit/

This describes the recent hack by an Iranian and how he created fake certificates of authentication for web sites and what it means.

http://www.dw-world.de/dw/article/0,,14954119,00.html


This one discusses the problem wrt SCADA systems used for process control -- pipelines, factories, refineries, power generation including nuke. Includes links discussing the worm that apparently was specifically targeted at SCADA used at the Iranian nuclear facilities. Remember to these comments, too.

http://www.theregister.co.uk/2011/03/22/scada_exploits_released/


While most of these incidents involve Microsoft and increasingly Adobe products, there have been too many with UNIX, Linux, and Open Source applications and breaches at "Trusted" servers hosting development and downloading. And we have little reason to trust that the hardware is safe.

My journal archive has several earlier rants on this subject. I will post a version of this in its own thread when I get a bit more time. This one done in 2-3 minute increments over about 12 hours.

I just got this email:

Dear HSN Customer,

HSN values your trust and wants to make you aware of a recent incident. We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals. This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible. Please visit http://www.hsn.com/important-information-about-email-accounts_at-5250_xa.aspx for answers to some frequently asked questions about this incident.We apologize for any inconvenience and have outlined below a number of email safeguards to help ensure your privacy online.

CollegeBoard.com
McKinsey Quarterly
New York & Company
Disney Destinations
Tivo
Kroger
US Bank
HSN
Citi
Brookstone

http://yro.slashdot.org/story/11/04/03/016215/Epsilon-Data-Breach-Bigger-Than-Just-Kroger-Customers-Data
http://yro.slashdot.org/firehose.pl?op=view&type=story&sid=11/04/02/1337202

warning me that their customer list of email addresses and names got hacked. So add them to the list too.

So add them to the list too.

... embraced by morons, is "cloud computing". Any business that would put their precious data in the hands of who knows who deserves the disaster that is surely coming their way.

But you wait, many will and when their data is lost and cannot be recovered or leaked to anyone and everyone, they'll all cry "who could have known"?

I knew using US Bank was a bad idea.

Sure. Their at it again

...and we haven't been there in ten years!

HSN sent me an email to tell me that my email and name had been among millions stolen. They gave me all the usual info about not revealing any personal or financial info to anyone.

i got an email telling me so.

Because everybody was using it, because it was cheap.

I just got an email from them telling me about the breach.

Abe Books and Hilton Honors frequent travel program.

Look, I don't know how many companies like Epsilon are out there, and maybe this hack could have happened to any one of them. But maybe this is a case of a company being just too damn big in its industry that a hack like this affects just too damn many people. Is it a wake-up call? Probably not. As others have written, we are dreaming if we think we have privacy on the web. Perhaps. But when one hack can result in the loss of tens of millions of e-mail addresses (and names in some cases), something is very wrong. Maybe these large companies need to bring this database management capacity in house. Or maybe companies like epsilon need to segregate their databases so that one hack does not result in the loss of data from dozens of companies.