A cyber security breach at marketing firm, Epsilon, has exposed the names and email addresses of millions of customers of some of America’s largest companies, including JP Morgan Chase, Citibank, Barclays Bank, U.S. Bancorp, Walt Disney, Marriott, Best Buy, Target, Kroger and Walgreen’s.
As a result of this breach, customers of these companies are at increased risk of several kinds of cyber crime. This includes bank fraud, identity theft, and credit card theft. More subtly, victimized customers may find that cyber criminals have taken control of their computer, covertly using it to send spam or participate in other illegal activities such as distributed denial of service attacks.
A Warning for Consumers: Consumers need to be very suspicious of emails appearing to come from financial institutions or companies with whom they do business. Cyber criminals are expected to use these stolen email addresses to spear-phish customers. Customers will receive a phony email designed to look like it came from a legitimate company. The email may have a link in it. It may have an attachment. Or it may ask for sensitive information. Consumers need to delete these emails since following a link or opening an attachment can expose their computer to attack. And they should never put sensitive information in an email.
Consumers also need to keep their workstation upgraded with the latest security patches in case a spear-phishing attack gets through. Our Weekend Patch and Vulnerability Report can be used to help keep computer programs up-to-date. Consumers also want to make sure to use an antivirus program or, even better, a host-based intrusion prevention solution.
A Lesson for Organizations Sharing Information with 3rd Parties: Organizations that share information with 3rd-parties can learn an important lesson from the embarrassment suffered by Epsilon’s customers. Cyber security management is a challenge that is not to be taken for granted. Organizations who provide 3rd-parties with access to consumer or other sensitive information have a responsibility to be diligent in assuring these 3rd-parties are properly protecting it. (See the papers in our CEO-Library for examples of what to expect of a 3rd party before sharing sensitive information.) This includes not only 3rd-party marketing companies like Epsilon but also 3rd-parties having access to sensitive information or who write the programs which manage access to sensitive information:
- Datacenters
- Cloud providers
- Web site developers
- 3rd-parties who develop custom applications
- Outsourced IT staff who maintain and manage the network
A Lesson for All: All organizations with consumer or other sensitive information can draw a lesson from Epsilon’s travails: You never get a second chance to make a good first impression. Epsilon’s brand will forever be tainted by this exposure. Solid cyber security management is a lot less costly.