As we told you earlier, an online marketing company named Epsilon suffered a security breach at the hands of hackers late last week. The original reports didn't have a handle on the scope of the breach. But as The New York Times is reporting, it's much worse than originally suspected, with millions of consumers likely impacted.The Dallas-based company handles over 40 billion emails annually, and hackers were able to gain access to its databases.
Because companies like Epsilon, which is the sole source of the information that was stolen, have a vested interested in spinning the news in terms that are most favorable to them, this is often how these things happen: What is first reported to be a tiny crack is later found out to be a massive hole. Expect to here more on this story as the week progresses.
Epsilon continues to go out of its way to point out that while names and emails were exposed, customer passwords were not. If true, this is good news, as it means hackers won't be able to penetrate financial records, bank accounts and credit card information. But it does give them the opportunity to practice a more precise form of phishing that security experts call "spear phishing." As the Times piece explains:
With the information stolen from Epsilon, thieves could send customers of, say, JPMorgan Chase an e-mail that appeared to be from the bank, complete with their names, said Mark Seiden, a longtime information security consultant in Silicon Valley. If the criminals cross-check a name with the property records of mortgage holders, they could even include the customer’s address in the e-mail.
The security compromise, which some experts say may be among the largest ever, involves customers at a roster of blue chip institutions that handle a fair amount of sensitive personal data, including JP Morgan Chase, Citibank, US Bankcorp, L.L. Bean, Ritz Carlton and, perhaps oddest of all, College Board.