Chances are you’ve received an email this week notifying you that your email address was stolen. On Friday, Epsilon, one of the largest email marketing companies, announced that its database had been breached, and “a subset of Epsilon clients’ customer data were exposed.” Epsilon says the breach was limited to email addresses and/or customer names only, and no other personal identifiable information was at risk. However the scope of the breach along with that list of Epsilon clientele, make this one of the largest security breaches of it kind.
Epsilon says that only 2% of its clients were affected – only about 50. But those 50 include Citigroup, Capital One, Walgreen, Best Buy, Target, Hilton, Kroger, Tivo, Disney, The College Board, and Marriott.
More Phishing
Despite the reassurances that email addresses and names were all that were stolen, many security experts are still concerned about the implications. Even though no financial data were disclosed, just by knowing someone’s email address and their spending habits – or at least the brands with which they have some sort of relationship – it may be easy to craft a targeted and sophisticated phishing attack.
If scammers know that you have a credit card with Capital One, for example, they may send emails asking you to log into a website and provide credentials that will give them access to more data, including financial information. People do fall for these targeted “spear-phishing” attacks, because they appear to come from a site they have a relationship with.
What Can You Do About It?
Phishing attacks are not uncommon, and as always, if you keep your guard up about where you click and what information you give up, you’ll probaby be safe. But phishing attacks do work, even if it’s just for a small percentage of recipients. And as the breach at Epsilon has exposed tens of millions of email addresses, even that small percentage could prove to be a sizable number.
When you receive an email from a company now, make sure you scrutinize it fully. Look at the email address and verify the sender. Look for typos and strange URLs. But don’t click on those links. If you do get a suspicious email – particularly one with an urgent tone asking you to update your personal information – pick up the phone and call the company in question. Remember: most companies aren’t going to ask for sensitive information via email.