Home / Blogs

Epsilon Interactive Breach the Fukushima of the Email Industry

Neil Schwartzman

"Marketing as Usual? Not a chance." —Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs' mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing, since they have names, email addresses and who these users did business with, which makes the problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP and ISP/Receiver industries to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

  • Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December. I was told by one ESP security staffer that he hadn't been given sufficient resources to affect all the appropriate changes. That is at best lamentable.
  • Two-factor authentication must be implemented for ESP system access for both staff and clients.
  • Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.
  • ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.
  • ESPs and Senders must deploy extended-validation certificates on web properties.
  • ESPs and brand owners should use the services of email authentication services such as Authentication Metrics , eCert, Return Path, and Truedomain as well as anti-phishing services like BrandProtect, Internet Identity and tools such as Lashback's BrandAlert.
  • ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure

"Epsilon has refused to provide additional details on what other brands may have been affected."Security Week

"SilverPop did not respond to requests for comment"Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

  • Email receivers must follow Yahoo! Mail's lead and deploy multi-layer phishing protection
  • Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.
  • Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.
  • Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies

These financial institutions were affected by the breach:

  • American Express
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Capital One
  • CITI
  • JP Morgan Chase
  • Moneygram
  • Scottrade
  • TD Ameritrade
  • TIAA-CREF
  • U.S. Bank
  • World Financial Network National Bank (Victoria's Secret card)

As well, these marketing and retail companies have reportedly had their client email, names and in some cases, other information stolen:

  1. 1800Flowers.com
  2. AbeBooks (division of Amazon)
  3. Airmiles
  4. Beachbody
  5. Benefit Cosmetics
  6. Best Buy
  7. Best Buy Canada Reward Zone
  8. Brookstone
  9. City Market
  10. CollegeBoard
  11. Dillons
  12. Disney Destinations
  13. Eileen Fisher
  14. Ethan Allen
  15. Food 4 Less
  16. Fred Meyer
  17. Fry's
  18. Hilton HHonors
  19. Home Shopping Network
  20. Jay C
  21. King Soopers
  22. Krogers
  23. Lacoste
  24. L.L. Bean credit card
  25. Marks and Spencer
  26. Marriott Rewards (Update: Marriottt confirmed NO points totals were taken)
  27. McKinsey Quarterly
  28. New York & Company
  29. QFC
  30. Ralphs
  31. Red Roof Inns
  32. Ritz-Carlton (Update: Ritz-Carlton confirmed NO points totals were taken)
  33. Robert Half
  34. Smith's
  35. Soccer.com
  36. Target
  37. TiVo
  38. Verizon
  39. Viking River Cruises (unconfirmed)
  40. Walgreens (for the second time)
By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Seemingly *some* people have been contacted by Michele Neylon  –  Apr 05, 2011 2:18 AM PDT

Seemingly *some* people have been contacted by the affected companies to warn them about the breach. I'm on several of these lists and am yet to receive any warnings, which I'm not overly impressed about.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign