Epsilon's epic fail: The numbers don't add up (Customer list included)

Note from me: If you've received even one of these warnings, you should read this post.
______________________________________________________________________

If you haven't yet received an email message from a major company, warning that your email address may have been compromised, you will.
<snip>

On April 1, online marketing firm Epsilon Data Management -- InfoWorld curmudgeon-in-residence Robert X. Cringely calls them "spammers in expensive suits" -- sent out a press release saying that "a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

On April 4, Epsilon updated the press release, adding this puzzling footnote: "The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services." I'll talk about that in a moment.
<snip>

Epsilon is also mum on the question of whether the stolen data could be associated with a specific Epsilon customer. Having a list of 100,000 email addresses is one thing. Having a list of 100,000 valid email addresses from JPMorgan customers opens up an entirely different realm of possibilities.

That raises yet another question. If zillions of email addresses were stolen, and the thief or thieves can't tell which Epsilon customer they came from, what is Epsilon doing, sitting on a big pool of undifferentiated email addresses and names?
<snip>

http://www.infoworld.com/t/phishing/epsilons-epic-fail-the-numbers-dont-add-177

Epsilon Breach Raises Specter of Spear Phishing

Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.
<snip>

Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.
<snip>

List of known Epsilon customers:

■1800-Flowers
■Abe Books
■Air Miles CA
■Ameriprise Financial
■Barclays Bank of Delaware
■Beachbody
■Bebe Stores Inc.
■Benefit Cosmetics
■BestBuy
■Brookstone
■Capital One
■Charter Communications (Charter.com)
■Chase
■Citibank
■City Market
■The College Board
■Crucial.com
■Dell Australia
■Dillons
■Disney Vacations
■Eurosport/Soccer.com
■Eddie Bauer
■Food 4 Less
■Fred Meyer
■Fry’s
■Hilton Honors
■The Home Shopping Network
■Jay C
■JP Morgan Chase
■King Soopers
■Kroger
■LL Bean
■Marks & Spencer (UK)
■Marriott Rewards
■McKinsey Quarterly
■Moneygram
■New York & Co.
■QFC
■Ralphs
■Red Roof Inns Inc.
■Ritz Carlton
■Robert Half
■Smith Brands
■Target
■TD Ameritrade
■TIAA-CREF
■TiVo
■US Bank
■Verizon
■Viking River Cruises
■Walgreens
■World Financial Network National Bank

http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing

Thank you for the list. :hi:

which I don't use. The subject line said it was an important message. I figured they were cutting me off but it was this instead.

US Bank, LL Bean, Abebooks ... probably some others too I'm thinking. :mad:

:argh:

:kick: & recommend.

do not know what the hell happened. The only card I possess is a debit card from them.

If they have your email address, you're on the list even if you are set up as "do not email."

through this crap. The wolf is at my front door now and does not need any more help getting in.

unemployment using either direct deposit from Chase or a Chase EBT card. I wrote to my rep and the State Dept of Labor when this started and noted, among other things, that Chase has been breached before. I just resent that email (sort of a "see, told you so") and asked them for what information Chase and/or Epsilon has been given about me (and others on UI). Do you think I'll get a reply? Hmmm...

:hi: Good luck getting that reply. :)

a friend just told me that after using her Capitol One card the other day, she got an automated phone call telling her there was a problem with her account. It told her to 'push a button' to continue . . . she hung up instead and called the card company directly.

They told her there was no problem with her card and she has had no charges on it. It was very strange.

If they know the name of the person and the companies they use, it's not hard to get a phone number. That scam goes on in general.