SIX MONTHS ON AND EPSILON STILL DONT SECURE THEIR USERS


In April this year,  Epsilon Data Management LLC  (one of the world's largest providers of marketing-email services) , a division of Alliance Data Systems Corp issued a statement,

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."



(http://www.fastcompany.com/1744738/the-epsilon-breach-should-you-be-angry-worried-or-bored)


When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet.  Epsilon handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again
(http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century)

Epsilon required their customers to log on to their systems using a user name and password with which to ‘authenticate’ themselves.  This was clearly inadequate as a hacker managed to breach their system and obtain a treasure trove of customer information.   
What this meant was that the customers of Epsilons customers i.e. the big  brands,  were ( and still are ) exposed to spear phishing attacks.  They can be targeted by the hackers with e-mails that will look like they legitimately come from those global brands which include the likes of :

Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books and Lacoste…etc.

(http://www.itpro.co.uk/632566/the-fallout-from-the-epsilon-breach)

Currently ( 6 months later ) Epsilon announced ( from their website ):
Further, Epsilon has enhanced user security by implementing two-factor authentication. Two-factor authentication is a security process that requires two means of identification to gain system access, adding significant additional protections beyond conventional strong password requirements. Two-factor authentication, currently in place for employees, will be extended to all clients in Q3 2011. “ 



(http://www.epsilon.com/News%20&%20Events/Press%20Releases%202011/Epsilon_Unveils_Innovative_Security_Enhancements_to_Global_Email_Marketing_Platform%20/p1118-l3)

At the time of writing  (19 Sep 2011) Epsilon clients are still only using a username and password to log-in. 

(https://portals.epsilon.com/c_links.nsf/names.nsf?Login)


Makes you wonder - doesn't it ?  













Comments

  1. EddyCormon22 September 2011 at 10:53

    Always wonder why companies don't buy a Hardware Security Module (Sony should have done it).
    For the price an HSM costs versus the amount a breach costs a company shouldn't even consider but just buy an HSM.

    I will be biased as I'm into IT security over 10 years now.

    ReplyDelete

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002
Read more