It was reported this morning that last Wednesday, March 30, hackers broke into the databases of Epsilon, an online marketing firm based in Dallas. Epsilon sends more than 40 billion e-mails each year, and the March 30 hack may have been one of the biggest data breaches in U.S. history, according to reports.
The hackers gained access to the names and e-mail addresses of some of Epsilon's customers, but they didn't get any credit card or Social Security numbers, or any other personal financial information, according to statements released by the company.
Epsilon has an impressive client base. They do business with a number of financial institutions, including Citigroup, Capitol One, and JPMorgan Chase. They also service TiVo, Verizon, Kraft, Walgreen, Marriott International, and the College Board, as well as a number of retailers, including L.L.Bean, Brookstone, and Best Buy. Many of these companies sent e-mails to their customers over the weekend warning them about the hack.
In practical terms, what does this mean? If no one's financial information was exposed, then customers don't need to worry about direct attacks. It is possible, though, that Epsilon customers will see an uptick in spam and phishing e-mails. "Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher 'hit rate' than a typical 'blind' spamming campaign would yield," notes Mike Lennon at SecurityWeek. "So having access to this information will just help phishing attacks achieve a higher success rate."
So as Alexia Tsotsis reminds us at TechCrunch: "Put on your thinking cap before you give anyone sensitive information like a password or social security number online."