Ameriprise Financial has joined a growing list of large companies annoucing that their customers were exposed in data breach at marketing firm Epsilon. The CyberJungle has learned that Ameriprise Financial notice sent a notice to customers Sunday evening, reading, in part:
We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.
You are receiving this because you have in the past received a communication from Ameriprise. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: email@example.com.
The notice gives general recommendations, including using anti-virus and anti-spyware software, not to send financial information via email, to be cautiious about pop-ups, and to “Use caution when opening attachments or downloading files from email.”
Among the other high-profile companies whose customers were exposed by the breach of Epsilon Marketing’s information systems are Citi, Kroger’s Marriott, Walgreens. A recently updated list is in this SecurityWeek.com story.
In a separate Epsilon statement last week the marketing company said “an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s systems. The information that was obtained was limited to email addresses and/or customer names only.”
Epsilon’s “about us” section says, in part, “ …We offer a full range of marketing services to help you [businesses] connect with them [customers] anytime, … This full-brain approach has earned us numerous accolades…” The Epsilon web site has a security policy which states, in part, “We protect information we collect about you by maintaining physical, electronic and procedural safeguards. All information is secure and may be accessed only by key staff members of Epsilon.”
The CyberJungle take: It appears that Epsilon may not have been using a “full brain” approach in protecting information assets. The thrust of their statement is: The attackers only took customer names, email addresses and the names of companies the customers do business with, so there is not much of risk of harm. The risk of harm is that social engineering attacks, phishing attacks, and other attacks could be launched against customers. Users are more likely to respond to a message from, say, Walgreens, if in fact they are already a customer of that store. As social engineers have shown, once trust and rapport is gained, an attacker can do significant harm. There could be wide-spread consumer harm, extending to employer data, since many people give a work email address for these services. Security and human resource administrators should consider holding a staff training meeting to help protect the information assets of the business, and protect the staff members from personal cyber attacks that could hurt worker productivity.
The CyberJungle Radio program that will post Monday, will cover this story and other news about security, privacy and the law. Other stories we are covering include the wide-spread SQL injection attack; a new panic button smart phone app: and an in-depth look at the Advanced Persistant Threat (APT) with Rob Lee of the SANS Institute. Listen to Episode 207 at TheCyberJungle listening options page.
Posting by Ira Victor