"We seem to be in data breach season at the moment," said Andrew Kellett senior analyst, Ovum. "Last week it was RSA and this week Epsilon. The two of course are very different, but the commonality is that good organizations can be breached by a determined attacker."
"In the case of Epsilon the extent of the overall breach has not as yet been completely established, but is thought to be very large," he said. "On the positive side, from what we do know, the data that has been lost does not appear to be detailed enough to for example break into a person's bank account or steal their identity. However, exposing a very large number of email details and the associations of the individuals with specific organizations makes everyone affected vulnerable to targeted Phishing attacks. Therefore the advice to anyone in Asia or any other part of the world would be to be extra vigilant. Never respond to an email that asks for confidential information, and always ensure that you never pass on banking or other financial information to a requestor via the web. Your bank and trading partners know your details and should never ask you to confirm them."
Implications for customers
"The problem in the Epsilon case is that there are two lots of customers affected," said Paul Ducklin, head of technology, Asia Pacific, Sophos. "Firstly, there are Epsilon's customers - which includes a growing list of major companies. Our own readers have sent in "warning emails" from a dizzying array of affected companies, apparently including: Walgreens, 1800Flowers.com, Air Miles, Target, Lacoste, AbeBooks, McKinsey Quarterly, Brookstone, Disney, American Express, Best Buy, and more. They are now faced with a security embarrassment created by a third party."
"Secondly, there are the customers of all Epsilon's customers - the people whose email addresses have been lost."
"So there are two lots of advice. To the end-users - the customers of Epsilon's customers - the risk is, fortunately, fairly low. Email addresses are usually widely known anyway. But users whose addresses have been compromised need to be vigilant, because they might receive increased levels of spam, and that spam might be better targeted than usual."
"Losing your email address to scammers and spammers is likely to mean a surge in spam to your account. And losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely. That, in turn, can make their fraudulent correspondence seem more believable."
Sign up for Computerworld eNewsletters.