Data mining for bad guys

My notification mail from Hilton HHonors

Over the past three days many of us have woken up to an unwelcome sight in our email inboxes. A notification that your email address was among those exposed in what may be the biggest data theft of its kind,  the data breach at the “database marketing vendor” Epsilon. Today I got my first one and I’m far from alone.
The list of companies affected by this intrusion is already long, but seems to still be growing. The notification mail I received  was from Hilton HHonours, the loyalty scheme for Hilton hotels. Other affecetd companies include: American Express, BestBuy, Borders, Capital One, Citibank, Disney, The Home Shopping Network, JP Morgan Chase, Marriott Rewards, Ritz Carlton, TiVo, US Bank, Verizon & Visa, to name but some.
No details have been made available regarding how the data was accessed beyond the initial statement made on the 1st April by Epsilon and the breach notification mails continue rolling in to affected individuals.
Epsilon state that the “unauthorized entry into Epsilon’s email system” affected just 2% of their customers and that they comprise only a subset of the clients to whom Epsilon provide email services. Given the list of names of affected institutions known thus far then, you have to wonder if the attackers were able to browse the entire database at will and extract only what they considered to be the most valuable information.
Every notification email and also the public statement from Epsilon reassures us that “only” names and email addresses were “obtained” (read stolen) and that no other information, financial or otherwise is at risk. Unfortunately, this downplays the level risk to customers and is also misleading.
Not only do the criminals know your name and email address, they know where you go shopping, where you bank, which hotels you stay at and much more. If you are unfortunate enough to have received multiple notifications, just imagine what kind of profile is now in criminal hands.
The risk from spear-phishing (highly targeted phishing) is hugely increased as a result of this data breach and people should be more vigilant that usual when receiving emails from affected institutions that may request personal information.
It is important to remember though, that phishing is not the only criminal activity facilitated by this fraud. This gold mine of information makes credible malicious mails much more simple to design. An email may appear to come from from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link. In the complex world of online crime you are often only one click away from compromise and infection without any user interaction beyond that first click. If a criminal can own your PC, they don’t have to ask your for your personal details, they can simply take them, and much else besides.
So, for those affected by this breach, (note to self):

  • Pay careful attention to emails your receive in the coming months, perhaps years.
  • Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
  • Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
  • Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
  • To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.