SIX MONTHS ON AND EPSILON STILL DONT SECURE THEIR USERS
In April this year, Epsilon Data Management LLC (one of the world's largest providers of marketing-email services) , a division of Alliance Data Systems Corp issued a statement,
"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."
When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet. Epsilon handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again
(http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century)
Epsilon required their customers to log on to their systems using a user name and password with which to ‘authenticate’ themselves. This was clearly inadequate as a hacker managed to breach their system and obtain a treasure trove of customer information.
What this meant was that the customers of Epsilons customers i.e. the big brands, were ( and still are ) exposed to spear phishing attacks. They can be targeted by the hackers with e-mails that will look like they legitimately come from those global brands which include the likes of :
Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books and Lacoste…etc.
Currently ( 6 months later ) Epsilon announced ( from their website ):
“ Further, Epsilon has enhanced user security by implementing two-factor authentication. Two-factor authentication is a security process that requires two means of identification to gain system access, adding significant additional protections beyond conventional strong password requirements. Two-factor authentication, currently in place for employees, will be extended to all clients in Q3 2011. “
At the time of writing (19 Sep 2011) Epsilon clients are still only using a username and password to log-in.
(https://portals.epsilon.com/c_links.nsf/names.nsf?Login)
Makes you wonder - doesn't it ?
Always wonder why companies don't buy a Hardware Security Module (Sony should have done it).
ReplyDeleteFor the price an HSM costs versus the amount a breach costs a company shouldn't even consider but just buy an HSM.
I will be biased as I'm into IT security over 10 years now.