Tell me if this looks or sounds familiar:
As we have communicated over the course of the last week, Epsilon—a marketing vendor that sends e-mails on our behalf—notified us about unauthorized outside access to files that included COMPANY NAME customer e-mail addresses.
The information obtained was limited to the e-mail address of some customers. No account information or other information was compromised. We’ll continue to provide updates when we have important new information to share. And, we’ll let you know what impact, if any, these developments will have on you."
The letter continues with how protecting customers is a top priority, how you should ignore emails requesting confidential information, and an apology for the inconvenience.
When I first received this email, I deleted it thinking that this kind of stuff happens from time to time. However, within hours, I received another email from a different company. And another one. Soon, I collected close to ten of these similarly formatted messages all from different companies. Thus, I began to wonder: Who is Epsilon, what exactly happened, and what can we do to prevent this from happening again?
Who is Epsilon?
According to the company's website, "Epsilon is the industry’s leading marketing services firm, with a broad array of data-driven, multichannel marketing solutions that leverage consumer insight to help brands deepen their relationships with customers." In other words, they are the ones behind all of the marketing emails that you get from a lot of companies (over 2,500 with 7 of the Fortune 10). They send over 40 billion emails annually.
According to Epsilon's press release dated April 6, 2011, there was an unauthorized entry into the company's email system, affecting approximately 2% of its client base, and only email addresses and/or names were compromised as a result. However, the downside of having a large client base and high profile companies means that 2% could translate to roughly 50 companies, and chances are you've got some pretty big players involved. Thus, if you've noticed an uptick in the amount of spam messages you're getting lately, or you've observed some intriguing behavior associated with any account that uses an email address, it might be worth investigating.
What can we do?
As Epsilon suggested, and I have mentioned in a previous blog post, it's always better to be cautious and know what you're clicking on or to whom you're giving any kind of sensitive information. As the number of applications that require login information grows, so does the number of opportunities for your email address (often used as a username) to be compromised. Similarly, as more applications use single sign-on features like Facebook to have users login, the value of those accounts increases and makes data lists that include email addresses greater targets for cyber thieves. In the end, keeping track of your account credentials, changing your password frequently, and staying vigilant on where your information is being stored ultimately offers you the best protection.