A recent attack on marketing email provider Epsilon has resulted in millions of users’ contact information being stolen, which has led security expert BullGuard to call for increased awareness of the dangers of unsolicited email and phishing attacks.
The incident is being dubbed as “one of the largest security breaches in US history”, and could result in swathes of spam being sent to unwitting consumers in an attempt to steal personal data such as credit card and bank account details.
Epsilon provides marketing services to around 2,500 companies sending over 40 billion emails annually. Contact information from 50 of these was believed to have been stolen in the attack. Its clients include US institutions such as JPMorgan and Citigroup and notably the UK-based retail giant Marks & Spencer, along with commonly used services such as Play.com and Tripadvisor.
M&S was quick to issue a warning concerning the breach and alerted its customers that they should expect to receive spam emails, though did confirm that it “takes your privacy very seriously” and “would continue to work diligently to protect your personal information”. This will be of little reassurance to those affected, and though it is thought that no financial details were stolen, subsequent unsolicited mails are expected to attempt to prise these from users.
Epislon’s statement following the attack confirmed: "The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."
However, internet security expert Dr Stefan Fafinski, of the University of Leeds, was quick to highlight the potential dangers involved with the theft: “Spammers will have a list of good, known and verifiable email addresses that comes straight out of M&S. Once they have names as well as email addresses, the spammers can personalise the emails they send out to look much more like a genuine company communication. People who open these emails may then follow a link to what looks like an official website. They may be asked to update their billing information, credit card details, the three-digit security code, maybe their mother’s maiden name or the answer to a personal security question. That gives them all the information they would need to steal the identity of the customer and access their accounts.”
While the hope is that the majority of attempts to make use of this information for financial gain by malicious third parties will fail, it comes as a stark warning to those who would freely offer up contact information.
“The scale of the attack is concerning and could lead to a revised set of security measures for dealing with customer data,” says Philip Dall, mobile security expert at BullGuard. “But the most immediate concern is to ensure that users are aware of the types of threats posed by unsolicited emails, how to recognise them, and how to guard against them”
“Customers should rightly expect to feel safe when giving an email address or contact details to a company as big as Marks & Spencers, but this recent attack goes to show that trading of such data should still be done with caution” he continues.
The reasons for such an attack are not new, and it is likely that the stolen information will be traded on a profitable “black market” of consumer data that is frequented by those looking to exploit the lack of awareness many have over the dangers of spam emails and phishing attacks.
“While security software is commonplace on modern computers, and will likely include a spam filter as standard, awareness is essential and we believe that educating consumers about safe practices is just as important as ensuring that our own software is capable of combating modern threats” says Dall.
In response to the recent attack, BullGuard outlines a number of safeguards consumers should be aware of, as well as ways to detect whether an email is spam or from a legitimate source.
* Set up an email address specifically for handing out to companies that request these contact details that is separate from the one used to manage bank transactions, purchases and financial information. In doing so users will become instantly suspicious of any requests for information sent to the “wrong” account.
* Be very wary of any requests for personal information via email, especially if that email asks that you log on to an external website (usually via an included link). Hackers take great care to appear legitimate and may copy the typical formatting, including logos and contact data from the actual company in order to make you believe they are genuine.
* Be particularly careful when opening attachments from emails unless you’re sure you know who the sender is, and ideally what the file itself contains. This is one of the most common ways in which hackers can install hidden software onto a computer designed for data retrieval and other malicious purposes without your knowledge.
* Pay attention to the URL of any sites that may be requesting personal information, since “mirror” sites are often set up to appear to be part of an official company, often with very similar addresses. This is known as “spear phishing”, which takes place when those sending spam emails are aware of the ties between a consumer and a particular company or service and will look to take advantage of these in order to appear genuine. Any web page that requests personal information should also be secure, as denoted by a padlock icon in the status bar of a web browser and the presence of an “S” in “https://”, which indicates that the page, and therefore your data, is encrypted.
* Use spam protection to ensure that potentially dangerous emails are filtered from the InBox. Most modern security suites should include a good spam filter that can work unobtrusively in the background.
* If in doubt, call the customer service number of the company in question from the official site or any documents you may have from them, and ask them to confirm the request. This is one area of security where it’s most definitely better to be safe than sorry.