Archive for Ameriprise

Ameriprise Financial Customers Exposed in Massive Marketing Firm Breach

Posted in Breach, criminal forensics, darkweb, eMail Security with tags , , on April 3, 2011 by Habeas Hard Drive

Ameriprise Financial has joined a growing list of large companies annoucing that their customers were exposed in data breach at marketing firm Epsilon. The CyberJungle has learned that Ameriprise Financial notice sent a notice to customers Sunday evening, reading, in part:

We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.

You are receiving this because you have in the past received a communication from Ameriprise. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: anti.fraud@ampf.com.

The notice gives general recommendations, including using anti-virus and anti-spyware software, not to send financial information via email, to be cautiious about pop-ups, and to “Use caution when opening attachments or downloading files from email.”

Among the other high-profile companies whose customers were exposed by the breach of Epsilon Marketing’s information systems are Citi, Kroger’s Marriott, Walgreens. A recently updated list is in this SecurityWeek.com story.

In a separate Epsilon statement last week the marketing company said “an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s systems. The information that was obtained was limited to email addresses and/or customer names only.”

Epsilon’s “about us” section says, in part, “ …We offer a full range of marketing services to help you [businesses] connect with them [customers] anytime, … This full-brain approach has earned us numerous accolades…” The Epsilon web site has a security policy which states, in part, “We protect information we collect about you by maintaining physical, electronic and procedural safeguards. All information is secure and may be accessed only by key staff members of Epsilon.”

The CyberJungle take: It appears that Epsilon may not have been using a “full brain” approach in protecting information assets. The thrust of their statement is: The attackers only took customer names, email addresses and the names of companies the customers do business with, so there is not much of risk of harm.  The risk of harm is that social engineering attacks, phishing attacks, and other attacks could be launched against customers. Users are more likely to respond to a message from, say, Walgreens, if in fact they are already a customer of that store. As social engineers have shown, once trust and rapport is gained, an attacker can do significant harm. There could be wide-spread consumer harm, extending to employer data, since many people give a work email address for these services. Security and human resource administrators should consider holding a staff training meeting to help protect the information assets of the business, and protect the staff members from personal cyber attacks that could hurt worker productivity.

The CyberJungle Radio program that will post Monday, will cover this story and other news about security, privacy and the law. Other stories we are covering include the wide-spread SQL injection attack; a new panic button smart phone app: and an in-depth look at the Advanced Persistant Threat (APT) with Rob Lee of the SANS Institute. Listen to Episode 207 at TheCyberJungle listening options page.

Posting by Ira Victor

Data Security Podcast Episode 67, Aug 24 2009

Posted in Annoucements, Breach, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , on August 24, 2009 by Habeas Hard Drive

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* The security lessons from Heartland data breach – what the newscasters didn’t tell you. Details on our Tales from The Dark Web segment.

* What if you discovered a web security flaw and their customer service staff ignored your alerts? An exciting announcement about a project to address this problem.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 67 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 67 of the Data Security Podcast

* EXCLUSIVE: Ira talks with Russ McRee of HolisticInfoSec.org about major security issues. This conversation  project, ReportSecurityFlaws.com .

* Tales From The Dark Web: What the other newscasters didn’t talk about with the news of an indictment of the Heartland / TJMaxx / 7-11 attacker, Albert Gonzales.

*From the News:  Web app attacks lead to possible breach of Law Enforcement data

*From the News:  SQL Injection Dymisytified – A look at the attack and how to protect your applications from it

* From the News:  Report by the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack

* From the News:  Cyber-Ambulance Chasing (Can’t we think of another way to accomplish this?)

Unspam Technologies filed a “John Doe” lawsuit in federal court against cybercriminals who have been targeting banks. The unfortunate bank customers are now caught between the devil and the deep blue sea. Unspam’s suit seeks confidential account information from the financial institutions, as part of its strategy to track down the hackers.

Here’s the money quote from the coverage in the New York Times:  Even though Unspam’s lawyer “concedes he is unlikely ever to discover the names of the hackers… he hopes to get the details of the thefts, the names of victims and other information from the banks that can be used to improve security and possibly identify the hackers.”

We’re not sure we like this strategy. Who’s next? Shall we force insurance companies to cough up individual medical records in order to prosecute hospital ID theft?

Read the story by Saul Hansell in the New York Times.

* Wrap: Vanishing eMail