Nothing like a little email breach to jumpstart your week. Many consumers awoke yesterday to emails from credit card companies and retailers, warning them that a breach at third-party marketer Epsilon had exposed their email addresses and names.
Several dozen companies were affected, including tech retailers like Best Buy, TiVo, and Target and credit-card companies like Chase, Citi, Barclays, and Capital One.
Epsilon said in a statement that the breach was detected on March 30, and about 2 percent of its total clients were affected. That's nice, but what does that mean for me? Will my inbox become a haven for Viagra ads and Nigerian email scams?
Who the &*#@! is Epsilon?
Companies like Best Buy, TiVo, and Target, as well as major credit-card issuers use services like Epsilon for marketing purposes, like compiling and maintaining email lists. But as MSNBC's Red Tape blog points out, "most consumers have no idea that Epsilon has their e-mail and name - the emails generally appear to be from a retail firm with which the consumer has a business relationship. That relationship usually begins with a simple check box on a website or a form filled out during a retail store purchase, but it can last for years."
What happened?
Epsilon's database was hacked, exposing the email addresses and names of people with whom Epsilon's clients do business. That includes everyone from Citi and Chase to Target and TiVo.
Do they have my email?
Affected companies should be sending emails to clients warning them of the breach; I've already received two lovely updates. Databreaches.net, however, has been compiling a list of affected companies. If you've done business with someone on that list, there's a good chance your email address was affected.
So, they have my email address. Who cares?
Affected companies are stressing that no personal, financial information was disclosed, but email addresses can still be an effective tool for the crafty phisher. More than likely, the emails will be used for spam purposes, but the more sophisticated individual could send out emails that look like they're from a legitimate company.
What do I do?
Main rule of thumb - don't provide any personal information. Best Buy is not going to ask you to click on a link and enter your credit-card information. Citi will not ask you to confirm your Social Security number via email. When in doubt, don't. Call the company to double check, and forward the email to spam@uce.gov.
I'm not pleased. Can I prevent this from happening again?
As you can see from the long list of affected companies, it's difficult these days to avoid companies that deal with third-party marketers. The good news in this case is that no personal financial data was exposed, so if you pay attention to the emails you receive in the future, and avoid clicking on or downloading suspicious links and attachments, you'll probably be OK. You can also create an email address that's used only for e-commerce and company correspondance. It's still annoying, however, and I, for one, seriously considered cancelling the credit cards I have with the affected companies. How hard is it to manage your own email list?
The Coalition Against Unsolicited Commercial Email (CAUCE) has a few suggestions for how companies can avoid this in the future. And as Alex Eckleberry, general manager of GFI Software's Security Business Unit, notes, "this type of incident should not be taken lightly. It's another reminder that privacy is an illusion on the Internet."