Feature Article
Mark Pribish
Did You Receive an Epsilon Data Breach Notification Letter?
By Mark Pribish
Vice President and ID Theft Practice Leader

On April 15, the Obama administration released the final version of the National Strategy for Trusted Identities in Cybersapce or NSTIC (read the article here).

The primary purpose and strategy of this NSTIC document is to make public and private sector online transactions for individuals, businesses, organizations, computer networks, computer services and network related devices (like cell phones, iPhones, laptops, etc.) safer, faster and more private.

Based on the Epsilon data breach event which exposed the e-mail addresses (and in some cases names) of an estimated 100 million customers of some of the nation's largest companies (read the article here), this new national strategy for cyber security cannot happen fast enough.

To show the significance of the Epsilon data breach, I have listed below a small sample of companies whose customer information was stolen:

  • Ameriprise Financial
  • Best Buy
  • Capital One
  • Chase
  • Citi
  • Dell
  • Disney Destinations
  • Eddie Bauer
  • Hilton Honors Program
  • Marriott Rewards
  • Fred Meyer
  • Kroger
  • TD Ameritrade
  • MoneyGram
  • Red Roof Inn
  • Scottrade
  • Target
  • TIAA-CREf
  • Ritz-Carlton Rewards
  • US Bank
  • Verizon
  • Walgreens

To put this in perspective, cyber criminals with access to customer names and emails will send targeted (spear) phishing attacks to customers who receive regular email communications from the above mentioned business where they have an established relationship.

Phishing attacks happen when cyber criminals send forged emails by pretending to be your bank, mortgage company, telecom company or any other organization that you do business with to trick you into giving your personal information including logins and passwords.

While phishing is nothing new, the Epsilon data breach event allows for a high volume and more precise phishing attack – commonly known as spear phishing (see details here).

For example, when a bank, financial services, hotel, or retail customer receives an email with their correct name the chance of a higher "hit rate" than a typical "blind" spamming campaign will create more success for cyber criminals.

Just as you may have received one or more email notifications from organizations that you do business with, I received email notifications from Marriott Rewards, Chase Bank, Best Buy, and Hilton. So please note and pay special attention to all emails from businesses and organizations that you do business with including email communications. In summary, the Epsilon data breach continues to show how NO ONE COMPANY can EVER prevent a data breach event from happening.

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.

Sincerely,
Mark