×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Epsilon Data Breach Bigger Than Just Kroger Customers' Data

timothy posted about 3 years ago | from the trade-loyalty-cards-and-email-addresses dept.

Privacy 115

wiredmikey writes with an update to the previously reported Epsilon breach: "It turns out that Kroger is only one of many customers affected by the breach at Epsilon, which sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10, to build and host their customer databases. It has been confirmed that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands, a list which continues to grow ..." An anonymous reader points out that U.S. Bank is on the list of affected companies; I wonder how many more phishing attempts this will mean.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

115 comments

SAY IT AINT SO !! (-1)

Anonymous Coward | about 3 years ago | (#35697372)

A breach ?? Holy smokes !!

Re:SAY IT AINT SO !! (-1)

Anonymous Coward | about 3 years ago | (#35697494)

A breach ?? Holy smokes !!

i would bet that the niggers did it cept i dont think the niggers are that smart. damn.

finally something you can't blame on the niggers. shit. not good. not good at all.

collegeboard.com affected (5, Interesting)

patmandu (247443) | about 3 years ago | (#35697378)

Just got this email:

CollegeBoard.com
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.

Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.

Epsilon has reported this incident to, and is working with, the appropriate authorities.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

The College Board

Re:collegeboard.com affected (1)

Conrthomas (1993390) | about 3 years ago | (#35697382)

I just got the same email. I hope to JEEBUS that they're telling the truth.

Re:collegeboard.com affected (2)

MoonBuggy (611105) | about 3 years ago | (#35697602)

Even if they believe to the best of their knowledge that it was just names and emails, it does occur to me that if their system has been compromised in one way it is not entirely unreasonable to believe that the attacker managed more discreet access to more sensitive data.

Also vaguely interesting is the fact that I also got the message, having not had any contact with College Board for about five years. Not that I would expect my data to have magically disappeared from their systems, I suppose, but it's a vivid reminder of the long memory of the internet.

Re:collegeboard.com affected (1)

scrib (1277042) | about 3 years ago | (#35697918)

It was Epsilon's systems that were compromised and their whole purpose is to send out subscriber emails. Epsilon was never given any information except what was used to generate those emails: mostly names and email addresses. One exception was the number of "member rewards" points for a company who presumably sends out automated emails with "Hi [your name]! You have [N] rewards points to spend!"

I don't trust that the sensitive information is secure due to extra security around it at Epsilon, but I do trust it is secure due to the force of laziness. Why a company construct the tables or spend the bandwidth to send all that sensitive information to a bulk mailing company? It's risky, costly, unnecessary, and more work.

Some people will doubtless fall victim to targeted phishing, but that's the only way the breach will result in loss of more sensitive information.

Re:collegeboard.com affected (2, Insightful)

hairyfeet (841228) | about 3 years ago | (#35697612)

Which just goes to show why we need some basic regulations when it comes to data security. I mean how many times have we seen epic levels of stupid when it comes to user data, like the guy that left the tapes unencrypted in the back of his car?

We really need some regulations in this area with regard to security practices. At the very least a minimum level of encryption and having important data separate from each other with different keys. The amount of data corps have on us is just getting staggering so demanding at least a minimum level of care shouldn't be too much to ask.

Re:collegeboard.com affected (1)

JustOK (667959) | about 3 years ago | (#35698128)

...like the guy that left the tapes unencrypted in the back of his car?

what kind of car?

Re:collegeboard.com affected (0)

Anonymous Coward | about 3 years ago | (#35699442)

Which just goes to show why we need some basic regulations when it comes to data security. I mean how many times have we seen epic levels of stupid when it comes to user data, like the guy that left the tapes unencrypted in the back of his car?

We really need some regulations in this area with regard to security practices. At the very least a minimum level of encryption and having important data separate from each other with different keys. The amount of data corps have on us is just getting staggering so demanding at least a minimum level of care shouldn't be too much to ask.

How dare you suggest something like regulation around here! Everyone knows that this is something that the free market can resolve on its own. These megacorps will just switch over to another major email marketing provider that assures them that their data is safe. Problem solved.

Re:collegeboard.com affected (1)

Anonymous Coward | about 3 years ago | (#35697520)

I'm a kroger customer. I use their online ordering stuff to have groceries delivered to my home. Yesterday's post said they had notified customers of the breach by email. I've checked. I've received no such email from Kroger or any related Kroger company about *anything*.

Re:collegeboard.com affected (0)

Anonymous Coward | about 3 years ago | (#35697632)

More likely that they got caught by spam filters than them not mass mailing all affected customers.

Re:collegeboard.com affected (0)

Anonymous Coward | about 3 years ago | (#35699382)

This seems very likely. I saw from this thread that I should have gotten a notification from TiVo. However, Outlook didn't have it either in the inbox or in the Junk folder. I logged onto my comcast account and looked in their web mail client and sure enough the TiVo notice was in the comcast Spam filter. It was the only note so filtered (locally, my Outlook filter captures about 2 Spam notes a week that Comcast doesn't catch). My daughter got the College Board version of this mail fine through Yahoo mail. I wonder if they sent these out "too fast" or something so that the ISP filters are catching some of them?

Re:collegeboard.com affected (1)

SpzToid (869795) | about 3 years ago | (#35698646)

This was received by me, 20 hours ago (imagine the address list being used, by Epsilon, to contact ALL their former end-users; not to mention the value to those that possess it now.):

Important information from McKinsey Quarterly

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have any questions or concerns, please contact McKinsey Quarterly at info@mckinseyquarterly.com. For any media inquiries, please contact -name saved from embarrassment- at +1-212-415-5321.

Sincerely,

-name saved from embarrassment-
Senior Managing Editor
McKinsey & Company

nyandcompany.com and disney.com as well (2)

Ecuador (740021) | about 3 years ago | (#35699236)

I got this one yesterday:

Dear New York & Company Customer,

Yesterday, we were informed by our email service provider that your
email address was exposed by unauthorized entry into their system. Our
email service provider deploys emails on our behalf to customers who
have opted into email based communications from us. We want to assure
you that the only information that was obtained was your name and/or
email address. Your account and any other personally identifiable
information were not at risk.

Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We also want to remind you that
we will never ask you for your personal information in an email.

We sincerely regret this has taken place, and we apologize for any
inconvenience this may have caused you. We take your privacy very
seriously, and we will continue to work diligently to protect your
personal information.

Please visit http://faq.nyandcompany.com/ [nyandcompany.com] for answers
to some frequently asked questions about this incident.

Sincerely,

New York & Company

You've received this message because you registered to receive
email from New York & Company. If you no longer wish to receive
email from us, or would like to edit your email preferences,
click here.
http://email.nyandcompany.com/p/NYandCompany/OptOut?EMAIL_ADDRESS=nyandcompany_orders@ecuadors.net& [nyandcompany.com]

Click here to view our Privacy Policy.
http://www.nyandcompany.com/nyco/company/privacy.jsp?& [nyandcompany.com]

New York & Company Corporate Office
450 W. 33rd Street
New York, NY 10001

And this one today:

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

NOT disney.com (0)

Anonymous Coward | about 3 years ago | (#35701048)

There's a distinction between Disney Destinations and Disney.com and while there may ultimately be some shared infrastructure (though not much - they're handled by completely separate organizations within DIsney) I'm fairly certain this is not an example of that. I know that Epsilon isn't used to back the core registration system, so I'm going to take a guess and say that Epsilon comes into play when an e-commerce transaction happens - something frequent on sites like Disney Destinations, but disney.com itself has no e-commerce.

Re:NOT disney.com (0)

Anonymous Coward | about 3 years ago | (#35703044)

I give a different email wherever I sign up for something, and that email contains the domain name of the page that asks me to register. In this particular case it was disney.go.com, which is where disney.com gets you. Now, if it was something like destinations.disney.go.com or disney.com/destinations or whatever, sorry for not knowing this affects specific subdomains with separate registration..

Add Ameriprise Financial Services: (1)

ptbarnett (159784) | about 3 years ago | (#35700274)

We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.

Please remember, Ameriprise will never ask you for personal or account information through email. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: anti.fraud@ampf.com.

And abebooks! (1)

Ecuador (740021) | about 3 years ago | (#35703168)

After nyandcompany.com and disney I got an email from abebooks:

Epsilon Informs AbeBooks of E-mail Database Breach

We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.

As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.

tivo (2)

Zebai (979227) | about 3 years ago | (#35697396)

I got a message from tivo today about this exact type of breach, i guess they use this company also although the email was vague on the name of the company and the reason they had my email to begin with.

Re:tivo (2)

LostCluster (625375) | about 3 years ago | (#35697692)

We've got a serious security hole in the Internet that whenever an e-mail needs to be sent, you've got to disclose a destination address to several "why should we trust you?" parties.When you've got a lot to send, you either have to bore yourself setting up a system to get around "You're acting like a spammer" blocks that are different at every ISP or hire this third party that already did that research. When this third party gets hit, everybody's list falls at once.

If only privacy policy violations came with cash payouts... that cash would come from the once-profitable third party, and suddenly the cost of doing it the cheap yet wrong way would show up.

Re:tivo (1)

93 Escort Wagon (326346) | about 3 years ago | (#35697812)

I got a message from tivo today about this exact type of breach, i guess they use this company also although the email was vague on the name of the company and the reason they had my email to begin with.

I got the same message. If my Tivo address is used for spam, it should be reasonably obvious, since I use a unique address for that account.

Re:tivo (1)

Tihstae (86842) | about 3 years ago | (#35699686)

Text of Email Message from Tivo:

Dear TiVo Customer,

Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.

We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

Sincerely,
The TiVo Team

Paul Erdos would not have been surprised (2, Funny)

Anonymous Coward | about 3 years ago | (#35697406)

Erdos, who never married, would greet the sight of a colleague's toddler by exclaiming, "Aha, an epsilon!" Even an absent-minded mathematician would have realized that you don't put customer data in the custody of an Epsilon.

Only Names and Emails? (4, Interesting)

longacre (1090157) | about 3 years ago | (#35697408)

Usually email marketing databases include a lot more than name and email. They can include identifying demographic info such as home address, sex, age, income, and more to allow for message targeting. Now it's possible that these guys only took names and emails as Kroger and US Bank have announced, but I wouldn't be surprised of Epsilon perhaps underplayed the severity of the breach to their clients.

Re:Only Names and Emails? (1)

whoever57 (658626) | about 3 years ago | (#35697484)

Usually email marketing databases include a lot more than name and email.

Perhaps you are correct. However, I just got an email from that claims that only my name and email address were compromised. Exactly what data was compromised may depend on the particular company's relationship with Epsilon.

Re:Only Names and Emails? (0)

Anonymous Coward | about 3 years ago | (#35697582)

Yes, the only data that belongs to you is your name and email, but the demographic data belongs to THEM!

Re:Only Names and Emails? (5, Informative)

LostCluster (625375) | about 3 years ago | (#35697650)

This wasn't a marketing company, it was an e-mail delivery service. It takes a lot of work to deliver thousands of customized e-mails to a customer base. To get it right, you have to learn the SMTP acceptance policies of various ISPs, deliver up to the limit, and then back off until the timeout resets.

This just goes to show why you only give database slices away, all they needed was the text of the e-mail with the variable spots included, the name to put in the variable slot, and the address to send it to.

It's a spammer's dream to get this many active e-mail addresses released, but it's not the kind of thing that should cause much damage.

Re:Only Names and Emails? (0)

Anonymous Coward | about 3 years ago | (#35699016)

This wasn't a marketing company, it was an e-mail delivery service. It takes a lot of work to deliver thousands of customized e-mails to a customer base. To get it right, you have to learn the SMTP acceptance policies of various ISPs, deliver up to the limit, and then back off until the timeout resets.

This just goes to show why you only give database slices away, all they needed was the text of the e-mail with the variable spots included, the name to put in the variable slot, and the address to send it to.

It's a spammer's dream to get this many active e-mail addresses released, but it's not the kind of thing that should cause much damage.

I beg your pardon, not a marketing company? This is from Epsilon's site: "Epsilon is the world's largest permission-based email marketer."
It's the same Epsilon that College Board (and Kroger, and all these other companies) use, I believe.

I don't recall *giving* College Board permission to share my e-mail address, name, any information, with any third party other than schools our son
wanted to receive his test scores. Is there something implicit in giving that permission that granted them permission to share with third parties,
be they marketers or simply e-mail delivery services?

Man, when is this cavalier treatment of so many peoples' information, for the sake of corporate profit, going to end?

Re:Only Names and Emails? (1)

xystren (522982) | about 3 years ago | (#35699608)

I beg your pardon, not a marketing company? This is from Epsilon's site: "Epsilon is the world's largest permission-based email marketer." It's the same Epsilon that College Board (and Kroger, and all these other companies) use, I believe. I don't recall *giving* College Board permission to share my e-mail address, name, any information, with any third party other than schools our son wanted to receive his test scores. Is there something implicit in giving that permission that granted them permission to share with third parties, be they marketers or simply e-mail delivery services? Man, when is this cavalier treatment of so many peoples' information, for the sake of corporate profit, going to end?

I think the time has come where privacy policies need to change where 3rd parties are not disclosed as 3rd parties - they should be disclosed by name and not the generic "3rd parties" description.

What is becoming more frustrating, is generally we have no idea of "who or where" our personal information is. It was news to me that Epsilon has my email address - hell back in the ChoicePoint fiasco, I didn't know they had my information.

Has the time for full disclosure regarding who these mysterious 3rd parties arrived?

Re:Only Names and Emails? (0)

Anonymous Coward | about 3 years ago | (#35697886)

It's very possible that the only thing Epsilon was doing is sending out the email, not actually using demographic info to try to figure out which customers are most likely to be interested in which products. Sending mass email is a lot more complicated than you might expect, and sometimes it makes sense to outsource that.

I wonder... (0)

Anonymous Coward | about 3 years ago | (#35697416)

If this is in retaliation to Microsoft's recent action of disabling a well-known botnet.

Brookstone (0)

Anonymous Coward | about 3 years ago | (#35697420)

I got a similar message from Brookstone tonight. First name and Email only it claims.

Re:Brookstone (1)

Seumas (6865) | about 3 years ago | (#35697636)

So this company has an entire database that is secured differently and separately from all of the other databases they have and this one database's purpose is for nothing other than storing first names and email addresses? This seems HIGHLY unlikely. I spell a huge pile of bullshit, here.

Re:Brookstone (1)

Grygus (1143095) | about 3 years ago | (#35698880)

So this company has an entire database that is secured differently and separately from all of the other databases they have and this one database's purpose is for nothing other than storing first names and email addresses? This seems HIGHLY unlikely. I spell a huge pile of bullshit, here.

Your reasoning is sound but the underlying assumption is a poor one; it is trivial and very common to grant access to only parts of a database. The idea that Epsilon only had access to those two pieces of information out of a much larger pool of data is extremely likely.

Don't trust the Cloud (1)

danbuter (2019760) | about 3 years ago | (#35697422)

because this kind of crap can happen to you. Might not matter for your personal computer, but if you are a corporate account, it could destroy your company.

Re:Don't trust the Cloud (0)

Anonymous Coward | about 3 years ago | (#35697460)

Being able to blame a 3rd party is probably why they outsource it.

Re:Don't trust the Cloud (1)

ThomasBHardy (827616) | about 3 years ago | (#35701916)

If this had anything whatsoever to do with the cloud you might have a point. As it is you just show a biased frustration with cloud technology that leads you to blame it for unrelated things.

One can only hope... (2)

lavagolemking (1352431) | about 3 years ago | (#35697482)

One can only hope this sheds some light on the way companies routinely share otherwise personal information without full disclosure. Maybe if enough people see the people see all their information being compromised by 3rd-party affiliates they never heard of they'll realize what's going on. They just don't seem to realize (or care) that just by filling out 1 form and handing it to 1 company, dozens of other partner/contractor/affiliate companies get a copy and will likely keep it forever.

It's even worse when they do it with social security numbers or financial data. My school routinely hands social security numbers to other companies as a way of "minimizing liability" because if something happens then they can blame the contractor, as if that somehow minimizes the risk to students. I see this sort of thing happen all to often and it saddens me.

Re:One can only hope... (0)

Anonymous Coward | about 3 years ago | (#35697526)

Like they care. Noticed FB lately?

Re:One can only hope... (0)

Anonymous Coward | about 3 years ago | (#35697604)

I can't help but feel that this is what we deserve. Industry and government try to manipulate the value of tech employees by exempting them from certain things and offshoring the work to drop the domestic bargaining power of people in the tech industry. The only time the concept of supply and demand come into things are when it comes time to justify H1Bs and offshoring and special government programs. And then we wonder why services and security have problems at some points. Well, gee, maybe it has something to do with the way tech professionals are dismissed.

Re:One can only hope... (0)

Anonymous Coward | about 3 years ago | (#35697680)

Minimize the risk to students? What made you think that was ever a priority? It was entirely to minimize risk to THEM.

I just got this one. Is it legit? (0)

Anonymous Coward | about 3 years ago | (#35697498)

PRINCE MIKE OKOYE.
His Royal Highness Palace.
45 Marina St.,
V/I,Lagos-Nigeria.

Atten: Managing Director.

Dear Sir,

I am Chief Accountant with the National Oil Nigeria
PLC (N/Oil) and member of 5 MAN Contract Executive
Review Panel (comprising 2 Snr.Staff of CBN and 3
Snr,Staff Of (N/Oil) set up by present Civilian Regime
of President Obasanjo. So far we have come across a
surplus of the sum of US$27M.(Twenty-seven Million
Dollars)which was as a result of deliberate
over-invoicing of certain contracts awarded by
Contract Award Committee of the cooperation.

The last installments due has been paid to the various
Contractors, while the said surplus still floats in
our Apex Bank waiting Off-shore remittance which we
want to carry out right now. As civil servants we not
allowed operate foreign account, therefore seek your
assistance in providing enabling Bank Account where
the Fund would be lodged.
25% of the total Sum is for you 5% for expenses during
transaction, and 70% for my colleagues and me.

A friend who is a Staff of World Trading Center (WTC)
here in Lagos made your contact available. Please
notify me of your acceptance to carry out this
transaction through the above E-mail address or fax
number.

I decided to contact you base on the fact that I have
no foreign partner to assist me in executing the
transaction. If you accept to carry out this business
with me, please note that my colleague and me will be
in your Country to receive the fund together with you,
the moment we secure all the necessary approvals.

You should also note that the transaction would only
take (14) fourteen working days.

you can also reply me to my private email
address:princemikeokoye57@safe-mail.net

Best Regards,

Prince mike okoye.

There are times like this where I'd like options (0)

Anonymous Coward | about 3 years ago | (#35697508)

like being able to declare an e-mail address dead, and know that the e-mail provider would be obligated to treat it that way, not just re-issue it to somebody else or whatever they wanted to do.

I've probably had 15 or 20 e-mail addresses over the years, most of them long since lost to attrition. Is somebody using my account now? Maybe. Hope not. At least some of the domains are gone, so I don't have to worry about them, more than likely anyway.

Ah well, not like I needed anything related to them, or any services I signed up for while on them. Even my old paypal account didn't have much money in it when I left it behind.

Pity my financial service provider doesn't have Two-token authentication yet. It's a pity that Blizzard and Square are ahead of them on that regard.

Re:There are times like this where I'd like option (1)

hedwards (940851) | about 3 years ago | (#35697628)

That's probably because it's cheaper to pay out whatever gets stolen and the government doesn't tell them they have to. I'm not sure how much the tokens cost, but last I heard, using chip and pin for credit cards costs somewhere around $40-50 each time they issue a card.

Re:There are times like this where I'd like option (0)

Anonymous Coward | about 3 years ago | (#35697942)

Google voids deleted email addresses. Probably good, since I've deleted 4 or 5 GMail/Google accounts.

Re:There are times like this where I'd like option (0)

Anonymous Coward | about 3 years ago | (#35700228)

Google voids deleted email addresses. Probably good, since I've deleted 4 or 5 GMail/Google accounts.

Well, that's good for them, but I had email before there was a Google, so what do I do?

Not that I care about my old college addresses or anything from that time but still, I wonder.

Idiots! (2)

snowgirl (978879) | about 3 years ago | (#35697510)

These people are idiots of outsourcing private information like that... that's why I keep all my customer data on my little notepad, which is.. right... um... around here somewhere... hm... oh well, I'm sure I'll find it eventually.

Re:Idiots! (0)

Anonymous Coward | about 3 years ago | (#35697964)

Sometimes openness is better than false security. I was told of a company which stored employee information (SSNs, etc) in password-protected Excel files. As a result of their 'presumed safety' they would then regularly transmit these 'secured' documents over email.

Insecurity of Excel encryption aside, the company made another mistake: the documents' passwords were formatted [last-name][first-initial][year-of-birth]. Supremely trivial to brute force.

Re:Idiots! (1)

Rich0 (548339) | about 3 years ago | (#35698980)

Any systematically generated (non-random) password suffers from this weakness. Once you figure out the system, all the extra passwords provide no real additional security.

This is why password aging provides no security benefit. When a hacker finds out that I've stopped using the password "loser15" they'll try "loser16" and get in on the next attempt. I imagine that 90% of people with accounts with password aging use such a system, making the aging itself useless.

Another Reason To Distrust The Cloud (1)

divide overflow (599608) | about 3 years ago | (#35697570)

Yet another example of why I'm inclined to avoid "cloud" (once known as hosted) services. Your data is at the mercy of people of unknown competency, working for companies with limited responsibility and questionable longevity.

Re:Another Reason To Distrust The Cloud (2)

postbigbang (761081) | about 3 years ago | (#35697592)

Data security doesn't matter where the data is located. It matters EVERYWHERE data is located. Incompetency is everywhere.

Standard reply: nothing is foolproof because fools are so ingenioius.

Re:Another Reason To Distrust The Cloud (0)

Anonymous Coward | about 3 years ago | (#35697626)

Incompetency is everywhere.

As is incompetence.

Re:Another Reason To Distrust The Cloud (1)

divide overflow (599608) | about 3 years ago | (#35697658)

Data security doesn't matter where the data is located. It matters EVERYWHERE data is located. Incompetency is everywhere.

All the more reason to take ownership of your data and to get the best people you can to manage it. Would you trust a complete stranger with your child? Then why should you trust a stranger with your confidential customer data? *If* it really matters you need to *treat it* as if it really matters.

Re:Another Reason To Distrust The Cloud (1)

LostCluster (625375) | about 3 years ago | (#35697662)

This isn't really a problem with "the cloud" as much as a "single point of failure" situation. With the magic of delivering thousands of e-mails without being marked as spam being held by a tight few, the major companies have no hope of employing a full-time E-mail Manager, they hire a third party to send the e-mail, and this really popular third party got hit with an intrusion attack. Oops.

4 million websites, fortune's fabled, compromised (-1)

Anonymous Coward | about 3 years ago | (#35697608)

the fear generation hypenosys campaign is as yet unproven. fortunately. the million babys+ play-dates etc, plus the native american teepeeleaks etchings tour (includes history of unspeakable real sex religious training & real time extermination by the chosen ones advance genocide prepping, & real estate redistribution teams), will be scheduling events coinciding with the crowd drawing chosen ones holycost (sponsor both sides) re-election pageants. should be a real something. both queers & other unchosens are expected.

there's only two queers left? how many unchosen? (-1)

Anonymous Coward | about 3 years ago | (#35697690)

many more than .5 billion of each. along with the babys, an unprecedented overwhelming 99.999% majority of the world wide population, with many more on the way. soon to acquire a valid 'vote' on stuff that really matters for all of us. after the never ending holycost ends, as the truth/real history etc catches up with us, the prven need to continually count everything continually will end too. ask the unproven still undead native americans, in person? see you there?

US Bank Email (3, Informative)

Anonymous Coward | about 3 years ago | (#35697732)

Here is the US Bank email I just got...

As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

Re:US Bank Email (1)

tresho (1000127) | about 3 years ago | (#35698188)

I got the same email from US Bank at about the same time. Time to change my password with them.

Re:US Bank Email (0)

Anonymous Coward | about 3 years ago | (#35698234)

Heh, they're actually called US Bank? Here I thought the author forgot an "a" (as in "an unnamed US bank"). They just got the most generic and boring name possible. Well, with all the phishing and impersonation attempts "US Bank" even sounds somewhat suspicious, as if somebody is trying to pretend to be an official institution.

Re:US Bank Email (1)

gander666 (723553) | about 3 years ago | (#35699006)

US Bank is one of the "big" banks. I use them, and have been very satisfied with their service (well, they get a bit aggressive in trying to sell me more service, but I politely decline, and they stop bugging me).

I got both the TIVO notification and the US Bank notification.

sigh. I will remain diligent, but I suspect that companies will continue to use contractors like Epsilon for all the reasons mentioned. Outbound communication via email is a lot more complicated than just setting up a big SMTP server and feeding it bulk lists.

if their security is as good as their programmers (5, Informative)

coutch (157269) | about 3 years ago | (#35697740)

.... then we're in trouble

I ran into their awful code back in August, when I was trying to sign in for a Sears email special (hey, I need some cheap tools ...)

the page is still there:
http://www.sears.com/shc/s/dap_10153_12605_DAP_Get%20Connected?adCell=WF [sears.com]

It wouldn't validate my password (say ... for example, "ab1cd2ef"), even though it met all the requirements:

"Password must be at least 8 characters, contain at least one number and one character, not start with a number and not contain any
special characters."

so I dug in a little, and found quite a gem of Javascript !
if (/^[a-zA-Z]+[0-9]+[a-zA-Z]*$/.test(oPass.value) == false) {
                alert(invalidMsg);
                oPass.focus();
                return false;
        }

it won't handle the two numbers ...

try it ... go to the sears link up there, and try registering with a password like ("ab1cd2de") ... don't worry, it won't work, so your (hopefully fake) email will be safe ...

if you want to see what's happening, have a look at the script.js file, and searh for the function verifyPass() ...
you can even see some commented out code of their previous attempts at implementing this basic functionality ...

I emailed Sears back in August, telling them where the error was, and a simple way to fix the regex used ... but all I got was an "out of office reply"

ah we.. I still managed to register after all, and have bought a few tools on sale ...

Re:if their security is as good as their programme (1)

hedwards (940851) | about 3 years ago | (#35697750)

I get bitten by incompetent validation fairly often. A password should not be accepted which is too long without throwing an error, and yet often times I set a 20 character password only to find out later that the maximum length is 16 and that they ignored those last 4 characters.

Re:if their security is as good as their programme (2)

matthewv789 (1803086) | about 3 years ago | (#35697898)

Not to argue with your point about the validation, but the chances that Epsilon had anything to do with implementing that Sears.com login page are virtually nil.

Re:if their security is as good as their programme (1)

alostpacket (1972110) | about 3 years ago | (#35699172)

A lot of email marketing companies provide "landing page" coding as well. Though you may be right in this case.

Re:if their security is as good as their programme (2, Informative)

Anonymous Coward | about 3 years ago | (#35699292)

Actually, the signup.aspx is in an iFrame on Sears that is pulled from Epsilon.com. So yes, Epsilon is the coder of the crap. A simple series of Test cases and some Googleing could have fixed that.

I too hate that when you are browsing a site that got something wrong and you try to point out how to fix it, since you are a customer and would like it to work in your browser of choice, and the company totally blows you off. When somebody gives you that detailed of an explanation about your problem, you should listen to them since they probably know what they are talking about. At least give it a try.

Re:what about back-end? (1)

Ramley (1168049) | about 3 years ago | (#35698672)

Nice catch on the front-end... now, what happens when you turn off Javascript? Do they use the same regex on the back-end? Do they check on the back-end?

Just curious, as I haven't had time to check for myself...

Re:what about back-end? (1)

coutch (157269) | about 3 years ago | (#35703420)

They must use a different one, I "forced" the bad password through, and it worked just fine (at least it did 8 months ago)

Re:if their security is as good as their programme (0)

Anonymous Coward | about 3 years ago | (#35699004)

I still managed to register after all, and have bought a few tools on sale ...

Thereby rewarding them despite their obvious ineptitude.

Or you could have spent a little more, but given your sale (and personal information) to someone else.

Re:if their security is as good as their programme (1)

xystren (522982) | about 3 years ago | (#35699688)

if their security is as good as their programmers .... then we're in trouble

This reminds me of the old computer laws I had on a mug in the early '80s... If construction workers built buildings the same way that programmers built programs, the first woodpecker that came along would destroy civilization.

Kroger's doesn't have my1040, college board does (1)

Anonymous Coward | about 3 years ago | (#35697792)

Whether epsilon has more or less info to disclose isnt as worrying as the companies that hire them. Kroger's and Brookstone don't typically have copie of all your financial information. College Board, who also run the financial aid application system for lots of colleges, has copies of 1040s, w2s, assets, etc.

Re:Kroger's doesn't have my1040, college board doe (1)

93 Escort Wagon (326346) | about 3 years ago | (#35697824)

Whether epsilon has more or less info to disclose isnt as worrying as the companies that hire them. Kroger's and Brookstone don't typically have copie of all your financial information. College Board, who also run the financial aid application system for lots of colleges, has copies of 1040s, w2s, assets, etc.

Whew! All I can say is - thank goodness Epsilon's not in charge of RSA token security! If that got breached we'd be in REAL trouble!

Re:Kroger's doesn't have my1040, college board doe (1, Insightful)

Dainsanefh (2009638) | about 3 years ago | (#35698042)

If your school requires you to use the CSS financial aid application College Board (rather than FAFSA from the federal government), chances are you are in a wrong school, or you have too much assets that a little bit of ID theft shouldn't hurt. Heck, you may able to aggregate the loss as a result of ID theft and get that tax write off as a charitable expense (consult your tax attorney first), because who ever the nigga that cash in your identity must be on welfare. (For those of you don;t know, schools that require CSS application from college board are either ivy leagues or from the west coast. IF you getting in one of those, it is your civil duty to spread your trust fund around.)

Re:Kroger's doesn't have my1040, college board doe (2)

yuna49 (905461) | about 3 years ago | (#35698838)

My daughter would not be attending the high-quality, CSS-requiring educational institution she is today without a very hefty financial aid package from that school. Take your stupid and uninformed class warfare crap somewhere else, fella. I'm guessing you're just bitter that you weren't accepted into one of those institutions.

Re:Kroger's doesn't have my1040, college board doe (1)

nurb432 (527695) | about 3 years ago | (#35698786)

Kroger does have quite a bit, if you use their pharmacy, due to all the wonderful regulations.

Not saying that was part of the data they would send to a spam haus, but don't stick your head in the sand that they don't have a lot more data internally.

Re:Kroger's doesn't have my1040, college board doe (0)

Anonymous Coward | about 3 years ago | (#35700086)

Yes, Kroger might have more info, but it's not like someone could do something like record fake trust deeds and resell them with my pharmacy records.

new york & company (0)

Anonymous Coward | about 3 years ago | (#35697814)

New york n company also in the list..

ARG (0)

Anonymous Coward | about 3 years ago | (#35697868)

i just got 2 emails one from US bank and One from Tivo on this

I use my own domain with a different email address or each company. This is anyoing. US bank was already on my S^%&t list for other things.

Would it be wrong to .. (1)

kevorkian (142533) | about 3 years ago | (#35697966)

1) Find random email spam list on internet
2) Claim it is the "FAMOUS" list from Epsilon
3) Sell to spammers @ premium rate
4) PROFIT !!!

Re:Would it be wrong to .. (0)

Anonymous Coward | about 3 years ago | (#35698586)

You'd need to find one spammer that hasen't already obtained the list.

Get ready for..... (1)

HeavyDevelopment (1117531) | about 3 years ago | (#35697978)

Man: Well, what've you got?
Waitress: Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam;
Vikings: Spam spam spam spam...
Waitress: ...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam...
Vikings: Spam! Lovely spam! Lovely spam!
Waitress: ...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and spam.
Wife: Have you got anything without spam?
Waitress: Well, there's spam egg sausage and spam, that's not got much spam in it.
Wife: I don't want ANY spam!
Man: Why can't she have egg bacon spam and sausage?
Wife: THAT'S got spam in it!

PayPal (2)

EdIII (1114411) | about 3 years ago | (#35698028)

Well we know the phishing attempts on PayPal might increase by .000000000000000000000000000000000000000000001%.

My really old email address gets about 50 (about a dozen unique) different PayPal phishing attempts *per day*.

I initially (even though I hate the bastards) did what I thought was the right thing and reported them, but after awhile it was like using a teaspoon to bail the water out of a sinking ship :)

And the store wonder why... (1)

Anonymous Coward | about 3 years ago | (#35698416)

I refuse to give them my private information just to shave a few points off of my shopping bill. How much is your personal private information worth? Quite a lot, apparently...

HSN (Home Shopping Network) also... (1)

MrP- (45616) | about 3 years ago | (#35698590)

April 2, 2011

Dear HSN Customer,

HSN values your trust and wants to make you aware of a recent incident. We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals. This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible. We apologize for any inconvenience and have outlined below a number of email safeguards to help ensure your privacy online.

Email scams, spam, and other attacks on email systems are on the rise, but, by taking certain precautions when receiving emails, you can continue to safely use email for your business and personal needs:

        * Don't open links or attachments from people you don't know and trust.
        * Don't provide personal, financial, or other sensitive information when asked to do so by email. Most reputable companies do not ask for such information by email, and, rest assured, we will not do so.
        * If you receive an email appearing to come from us that does ask you for sensitive information, do not respond, click on any links, or download any attachments. Instead, please inform us immediately at the toll-free number or email address provided below.

We take your privacy very seriously and work diligently to protect your information, whether held by us or by our service providers. HSN's internal databases, which store all customer-provided data, were in no way compromised. Our email provider has taken significant steps to further protect the limited customer information held in its databases. If you have any questions or concerns regarding this incident, please contact us toll free at 1-800-933-2887 or email us at customerservice@hsn.com.

Sincerely,
Gregg Stallwood
Senior Vice President, Customer Care â" HSN

Please do not reply to this email. If you would like to contact us, please call us toll free at 1-800-933-2887 or email us at customerservice@hsn.com.
HSN Interactive LLC | Attn: Customer Service | 1 HSN Drive | St. Petersburg, FL 33729â

       

Another possible use (1)

Registered Coward v2 (447531) | about 3 years ago | (#35698832)

If they have the email address and name of the associated company, phishing attacks may just be one way to use it. The could conceivably attempt to reset passwords at sites that let you do that with a security question (unlikely, given the time and effort required) or attempt to combine that data with password info stolen from a major email program and then reset passwords and steal them.

Great customer service there, Citibank (1)

yuna49 (905461) | about 3 years ago | (#35698854)

From TFA: "Citi also warned customers over Twitter about the incident"

So unless we're members of the twittering classes we're not deserving of notifications when a security breach occurs. Glad I'm not one of Citi's customers.

Re:Great customer service there, Citibank (1)

alostpacket (1972110) | about 3 years ago | (#35699192)

#doh #sorry #yerscrewed #citibankisanawardwinningbankforexcellencyincustomerservice We value your bit.ly/

Re:Great customer service there, Citibank (1)

Tihstae (86842) | about 3 years ago | (#35699640)

Well, Epsilon is a bit busy right now dealing with the compromise so Epsilon is probably waiting for Citi's check to clear before sending out the notice for Citi that Epsilon was hacked.

Figure out how to get around being called a spammer
Get lot of businesses to pay you for this knowledge
Get hacked.
Profit

Add Disney to the list (1)

plsuh (129598) | about 3 years ago | (#35699048)

Text of e-mail from Disney this morning:

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

Important Information for Disney Destinations Emai (0)

Anonymous Coward | about 3 years ago | (#35699050)

Sun, April 3, 2011 8:02:42 AM
Important Information for Disney Destinations Email Recipients
From:
Disney Destinations

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

Fine (1)

AmberBlackCat (829689) | about 3 years ago | (#35699088)

It's a little creepy how the securitylink page, linked to in the summary, asks you to give them your email address before you read the page...

Tivo too (0)

Anonymous Coward | about 3 years ago | (#35699288)

Dear TiVo Customer,

Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.

We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

Sincerely,
The TiVo Team

Lots of data mining opportunities (0)

Anonymous Coward | about 3 years ago | (#35699638)

Data miners could have a field day with all these email lists. They could do lots of correlations of list memberships and derive lots of personal info, from "just lists" of emails.

Careers (1)

Tihstae (86842) | about 3 years ago | (#35699668)

I checked Epsilon's website. There are no IT Security jobs posted. Wonder how long it will be before that changes.

US Bank (1)

chemindefer (707238) | about 3 years ago | (#35700040)

US Bank already sucked, their website sporting the worst GUI since Windows 3. I had an REI Visa with them, their website would show me paid with zero balance even though I was carrying, and wouldn't let me add a payment, but then would suddenly show me overdue and add a late fee. I'd call up, they'd sometimes credit me, and it would start all over again. For over a decade I had no missed payments, suddenly I was having one every month.

It got fixed the day the new regs took effect, up to that point they were minting money from that website. They had plenty of collections people, often not very smart, often it took a couple of tries to get a payment made.

All in all, a nightmare compared to any other vendor I used, and a blight on REI's customer service rep. When the chance came, I paid them off first and kept away.

So this morning I got this in my email...

As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address. We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you. We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit: http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm [usbank.com] In addition, if you receive any suspicious looking emails, please tell us immediately. Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657). The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

I think it is only stupid evil companies that were using Epsilon. Litmus test.

The 'not just the banks' leak... (1)

the old rang (1671218) | about 3 years ago | (#35701824)

There are several MAJOR pieces of information missing from all the reports on this incident.

Mainly, the Brand (s)of Software involved.

Not the version, just the brand name.

Since 'Linux' was not mentioned, I would guess the same situation that exists in political coverage, is in play.

Anything 'negative' will not mention Microsoft. But, if any other OS is involved, 300 mentions with all the negatives, will occure in a 400 word article.

My bank uses 'Windows.'

They think Netscape 2.0 is a current browser.

They have no mention of Firefox in their documentation.

They tell me they are computer savvy.

BUT... they use Windows.

Want to bet that most of the systems involved in this problemuse Microsoft? (or ALL the systems do?)

Now I remember... (-1)

Anonymous Coward | about 3 years ago | (#35703914)

why I hate entrepreneurial programmers. You can either understand computers, or you can understand people. Very VERY rarely both.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...