What is Your Risk from the Epsilon Marketing Email Hack?

On Friday, April 1, Epsilon Marketing revealed in a press release that its email data had been hacked. The hackers were able to take the names and email addresses of people within their list. Epsilon says that no other information was visible to the intruder.

I received a notification from TiVo, a company from which I purchased services several years ago. The information from TiVo reiterated the information in Epsilon's press release, adding that the company that was hacked provided email services for TiVo.

I have received emails like this from a number of companies over the last few years. I have been told that my credit card information was exposed on several occasions by several vendors, and last year, I was told that a system housing my health records and Social Security number had been exposed to an unauthorized intrusion. In terms of some of my personal information that has been exposed by these earlier hacks, having my name and email address exposed is actually not that troubling for me. That information, after all, could be readily obtained by anyone with less than five minutes of web searching.

There are two ways that the criminal responsible for this action could attempt to profit. The first is to simply sell the entire database of names and email addresses to some other spammer for a one-time flat fee. That would mean that those, like me, who have had their emails and names exposed in the Epsilon hacking would likely be receiving a fresh influx of spam emails advertising assorted nefarious products and services.The real danger of the hack is the possibility that the information falls into the hands of a more sophisticated criminal, whether it is the original hacker or someone who has purchased the information.

A cyber criminal could use the information for phishing attacks that attempt to con the spam recipient into giving out more valuable personal information or exposing their computers to a virus or computer worm. This would be done by sending emails that masquerade as coming from one of the Epsilon client companies that had its customers' names exposed. If I were still doing business with TiVo, for example, I might be more inclined to respond to a request for updated payment information or download a software update allowing some new service related to my TiVo account.

The criminal who hacked into Epsilon Marketing's system reportedly doesn't know which Epsilon client company is associated with my name in the database. That means that the phishing attack would either be repeated for several of the client companies whose data was taken from the Epsilon system or that each customer would receive a single phishing attack from just one of the affected companies, relying on the fact that some large percentage of those receiving the faked email would be customers.

As always, exercising best practices with email security can prevent those whose names where stolen from falling victim to phishing scams.