Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Epsilon Breach Affects JPMorgan Chase, Capital One

CmdrTaco posted more than 3 years ago | from the sorry-bout-that-my-bad dept.

Crime 180

Orome1 writes "The recent Play.com breach has been tied to the attack that its marketing communications firm Silverpop — a company that services over 105 customers, among whom are Walgreens and McDonalds — suffered last December. But the latest breach will likely have the biggest impact, because marketing services provider Epsilon — the largest one in the world — has notified its customers of a breach that likely compromised all of their mailing lists. Among Epsilon's customers are US Bank, JPMorgan Chase, TiVo, Capital One, the Home Shopping Network, LL Bean Visa Card, Ritz-Carlton Rewards, Best Buy, Disney Destinations, Walgreens, and many more." How many apology emails have you got so far today?

cancel ×

180 comments

Sorry! There are no comments related to the filter you selected.

Received one this morning. (5, Interesting)

grub (11606) | more than 3 years ago | (#35709438)

I received this today. Another case where I'm happy to use throw-away accounts at a domain I own.

Dear [me],

We have been informed by our email service provider, Epsilon, that your name
and email address have been exposed by unauthorized entry into their system.
Epsilon deploys emails on our behalf to our Reward Zone members. Click here
to read Epsilon's statement.

We have been assured by Epsilon that the only information that has been
exposed was your name and email address. A rigorous assessment by Epsilon
has determined that account details, passwords or any other personal
information were not at risk.

It is possible that you may receive spam email messages as a result and we
would advise you to be very cautious when opening links or attachments from
unknown senders. More information on spam and protecting yourself from email
fraud can be found here.

In keeping with security industry best practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.ca. If you receive
an email asking for personal information, delete it. It did not come from
Best Buy. The next scheduled email from Reward Zone about our Trade In Event
will arrive to your inbox on April 15, 2011.

Our service provider has reported this incident to the appropriate
authorities.

We regret this has taken place and any inconvenience this may have caused
you. We take your privacy very seriously, and we are working diligently to
fully investigate this situation and continue to protect your personal
information. If you have further concerns or questions please contact us:
1-866-BEST-BUY (238-7289) or customercare@bestbuycanada.ca.

Sincerely,

Angela Scardillo
Vice President of Marketing
Best Buy Canada

Re:Received one this morning. (1)

O(+inf) (2033618) | more than 3 years ago | (#35709446)

Ditto - the only one seen so far was from Best Buy.

Re:Received one this morning. (0)

Anonymous Coward | more than 3 years ago | (#35709472)

One from robert half international

Re:Received one this morning. (0)

Anonymous Coward | more than 3 years ago | (#35710020)

+1 for RHI/RHT

Re:Received one this morning. (0)

Anonymous Coward | more than 3 years ago | (#35709776)

The U.S. version had a commercial for BBY's Geek Squad.

Re:Received one this morning. (1)

gfreeman (456642) | more than 3 years ago | (#35709924)

Yup, I had one from TiVo.

Nothing, yet. (1)

ackthpt (218170) | more than 3 years ago | (#35709926)

I'm certain to receive at least one, which really does little to console me after the years of being spammed by the "legit" holders of my email addresses. This is why we have Gmail junk bucket accounts...

"Why, yes! I do have an email address for your bulletins and offers, it's [...]@gmail.com! (which I check once every blue moon or so)"

Re:Received one this morning. (1)

ObsessiveMathsFreak (773371) | more than 3 years ago | (#35709992)

You don't perchance happen to have the email you sent them granting them permission to release your email address on to Epsilon and/or any other subcontractor/partnered company which fancy placed within their heads? I can only presume that ni private company would be do dishonourable as to throw your or anyone else's email address about like corporate confetti paper without your explicit written permission. Perish the thought!

Re:Received one this morning. (1)

grub (11606) | more than 3 years ago | (#35710128)

It's usually in the small print of the contracts you sign to get a card from the firms.

Re:Received one this morning. (1)

omnichad (1198475) | more than 3 years ago | (#35710634)

You never signed anything to allow them to hire employees to send you these messages either. They have to pay somebody to do it. Where's the legal requirement that you can't hire outside your own corporation without permission?

Collegeboard.com (1)

sconeu (64226) | more than 3 years ago | (#35710696)

Only one so far

Re:Received one this morning. (1)

randizzle3000 (1276900) | more than 3 years ago | (#35710810)

My wife received one of these from USBank on Apr 3. I have not received anything.

None (2)

hedwards (940851) | more than 3 years ago | (#35709458)

I haven't gotten any yet, although I have done business with a few. If anything this is a reminder that services like Sneakemail [sneakemail.com] exist for a reason.

Re:None (0)

Anonymous Coward | more than 3 years ago | (#35709850)

used to use sneakemail specifically for these types of email messages.. too bad they no longer have the limited free level of service.

Re:None (0)

Anonymous Coward | more than 3 years ago | (#35710424)

$2 a month? Just use spamgourmet instead for free.

what good is an apology... (3, Insightful)

Lead Butthead (321013) | more than 3 years ago | (#35709478)

if the sender isn't sincere? the notifications are sent because they're required by law, not because they're truly sorry in any shape or form.

Re:what good is an apology... (1)

gujo-odori (473191) | more than 3 years ago | (#35709752)

None whatsoever, of course, except to let you know to be more vigilant than usual because your PII got pwned on their watch.

I work in anti-phishing. The weeks ahead should be interesting. Our bank was on the list of those pwned. Gotta warn my wife to be especially vigilant of phishing.

Re:what good is an apology... (0)

MollyB (162595) | more than 3 years ago | (#35710158)

Gotta warn my wife

How very condescending of you. I just bet she'll be thrilled to hear you have an excuse to harangue her. Leave your job at work...

Re:what good is an apology... (2)

mitler (1879900) | more than 3 years ago | (#35710446)

You're right. It's probably better that he not take the time to warn her that their email address may have been compromised, even though she may not work in the IT industry and not follow this type of news. At least she will feel like a strong independent woman as she clicks on that fake PayPal account verification link.

Re:what good is an apology... (0)

Anonymous Coward | more than 3 years ago | (#35710806)

No sense of humor, today? Good to know that Paternal Righteous Indignation is still swimming in the gene pool.
(hint: if he does this for a living, she's already aware of the peril from malmail)

Re:what good is an apology... (3, Informative)

Ambiguous Coward (205751) | more than 3 years ago | (#35709774)

Oh, come on now, let's be fair, they're all really quite sorry...

...sorry the public was made aware of the breach.

Re:what good is an apology... (1)

Anonymous Coward | more than 3 years ago | (#35709838)

If you ever expect a corporation to "be sorry" or truely remorse then that's the problem. They cant, they are NOT people.

Re:what good is an apology... (1, Informative)

Anonymous Coward | more than 3 years ago | (#35709886)

the supreme court disagrees

Re:what good is an apology... (1)

Thud457 (234763) | more than 3 years ago | (#35710558)

they don't have souls,
hence are creatures of the devil
QED

Notification (1)

pavon (30274) | more than 3 years ago | (#35709984)

It is useful to let you know that your information has been compromised so you can take any appropriate action. The apology is just extra words, not the purpose of the communication.

Since when is sincerety a requirement? (1)

Chemisor (97276) | more than 3 years ago | (#35710064)

When someone asks you "how are you?", you know, just like everybody else, that the question is not sincere. Both you and the questioner expect an answer along the lines of "I'm fine", even if you're on your death bed. Both the question and the answer are merely part of the social protocol; give a token, get a token. It may seem pretty dumb, but it has worked just fine for centuries, and heck, without empty chit-chat what would people talk about?

Re:Since when is sincerety a requirement? (1)

Anonymous Coward | more than 3 years ago | (#35710826)

When someone asks you "how are you?", you know, just like everybody else, that the question is not sincere.

Speak for yourself. I know that it makes people feel better, because I can see their expression change, to have someone ask how they're doing, and when they do take the time to answer I usually find it interesting. I certainly have more pleasant and fewer stressful interactions with people, so on a day to day basis it makes my life better.

There is a caveat: you do have to make a conscious effort to be ready to stop and listen and take an interest in what they have to say. If you're actually in a hurry and you cut someone off, you'll definitely come across as insincere or patronizing.

Not a lot... (1)

rwven (663186) | more than 3 years ago | (#35709482)

So far, best buy and robert half technology.

Re:Not a lot... (2, Funny)

Anonymous Coward | more than 3 years ago | (#35709652)

we are spam twins!

Re:Not a lot... (1)

Svartalf (2997) | more than 3 years ago | (#35709794)

Ahhh... But the banks will putz and futz around before disclosing that they pooched this. (And they did...they outsourced this to a third party which doesn't have the same IT security requirements THEY have...) It's bad for business for to own up to this sort of thing- and they'll put it off until the last possible moment.

Re:Not a lot... (1)

nschubach (922175) | more than 3 years ago | (#35710362)

Not sure if it was "putz and futz" but I got my alert from Chase before anyone else.

How does this happen? (2)

jaymz666 (34050) | more than 3 years ago | (#35709500)

I have received these from Best Buy and TiVo so far.

Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?

Re:How does this happen? (1, Informative)

jaymz666 (34050) | more than 3 years ago | (#35709512)

TiVo® Service Announcement

Dear TiVo Customer,

Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.

We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.

Sincerely,
The TiVo Team

Re:How does this happen? (4, Interesting)

hedwards (940851) | more than 3 years ago | (#35709580)

It's not so much a matter of money as it is one of logistics. Maintaining an farm of mail servers for what is a relatively low volume of correspondence doesn't make much sense. You still have to keep them secured, track opt outs and all the other stuff, handing it over to a 3rd party generally makes more sense. Plus, there's no guarantee that they'll manage any better.

If anything this is just evidence that Epsilon screwed up and wasn't adequately separating the data. Without more information it's hard to say what they did, but chances are they were storing the various mailing lists on the same database servers.

Capitalone, spends a lot of money protecting its customers from fraud, I know that because they're regularly on the phone with me when their computers pick up suspicious activities, and typically the account is locked within a minute pending authorization from me. I have a hard time believing that they'd spend all that money on security in that area and then go with a cut cost fly by night vendor for managing their emails. It's possible, but strikes me as odd.

Re:How does this happen? (2)

compro01 (777531) | more than 3 years ago | (#35709962)

Epsilon's service includes dodging anti-spam measures, which would be difficult to do if it's not your primary business.

Re:How does this happen? (1)

jaymz666 (34050) | more than 3 years ago | (#35710048)

I guess sending less spammy messages would be too difficult a choice to make

Re:How does this happen? (3, Interesting)

omnichad (1198475) | more than 3 years ago | (#35710742)

I wish it were that easy these days. You try maintaining an email server to send out marketing messages when you don't have SPF, Domainkeys, or SenderScore certification. Even sending out undeliverable email notices will get you put on an IP block list before you knew what happened. I could go on, but none of these things involve spammy keywords being in the message at all.

Re:How does this happen? (1)

omnichad (1198475) | more than 3 years ago | (#35710754)

Even sending out undeliverable email notices

I meant to say "even if your server is configured to send out undeliverable email notices when emails are received for invalid addresses."

Re:How does this happen? (2)

compro01 (777531) | more than 3 years ago | (#35710880)

It's not the message content, but rather the traffic patterns. Lots of email providers use dumb systems like "if a particular mailserver sends me more than X messages at once, increase their spam probability by Y" and similar. Epsilon has that data, either from the ISPs or from their own testing and uses that to get around those measures.

As if you need to ask... (1)

ackthpt (218170) | more than 3 years ago | (#35709998)

Re:How does this happen?

I have received these from Best Buy and TiVo so far.

Seriously, why do all these companies outsource to such a crappy company that in one breach ALL their email lists get compromised? Does it really save them money to not operate the mailing lists themselves?

Cut costs, take lowest bidder, require no proof of secure measures in place or review of procedures - it's not always incompetence by the peons who build the systems, usually it's incompetence and avarice by those who remove or never hire the sort of positions which oversee data security and integrity.

Re:As if you need to ask... (1)

Anonymous Coward | more than 3 years ago | (#35710660)

American business would outsource baby care to rabid Tasmanian Devils if the bean-counters said it would save 25 cents per thousand served.

US Bank (2)

jmanforever (603829) | more than 3 years ago | (#35709508)

As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm [usbank.com]

In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

Re:US Bank (0)

HTH NE1 (675604) | more than 3 years ago | (#35709802)

Dear valued U.S. Bank customer,

Thank you for publicly confirming that you are a customer of U.S. Bank. Your Slashdot ID and pseudonym will now be added to our data mine for association to the other information we have on file, as well as your past posting history to better profile you and your interests.

Epsilon

Really, people? Do you know what you're doing when you post these? You're leaking more information about yourself and exposing another on-line identity to being known and associated by Big Data. Are you certain the precise phrasing of the letter you received is not unique to you, or even came from the institution it proclaims to be?

Another post, another datapoint (0)

Anonymous Coward | more than 3 years ago | (#35710004)

I can see them going "Let me just store in my little database that "HTH NE1 (675604)" is overly concerned and probably a good spam target for anti-anxiety meds".

Just to be clear: EVERYTHING you post on the net gives someone, somewhere just a little bit of extra information. It all adds up. You've got that one right.

Re:Another post, another datapoint (1)

sexconker (1179573) | more than 3 years ago | (#35710630)

I can see them going "Let me just store in my little database that "HTH NE1 (675604)" is overly concerned and probably a good spam target for anti-anxiety meds".

Just to be clear: EVERYTHING you post on the net gives someone, somewhere just a little bit of extra information. It all adds up. You've got that one right.

While it all adds up, it's pretty easy to make the weight of many of those pieces negative by putting in false info wherever possible, thus confusing the beast.

- Rusty Shackleford

Re:US Bank (0)

smelch (1988698) | more than 3 years ago | (#35710026)

Your post is the most retarded post I've ever read.

Re:US Bank (1)

Cl1mh4224rd (265427) | more than 3 years ago | (#35710038)

Are you certain the precise phrasing of the letter you received is not unique to you, or even came from the institution it proclaims to be?

There is such a thing as unhealthy paranoia, sir. As another of US Bank's customers, I can confirm that the phrasing is identical. But who knows? Maybe there's some secret brainwave scanner encoded into the text which transmits the thoughts of anyone reading it back to US Bank's headquarters located in the heart of an active volcano.

Re:US Bank (1)

Svartalf (2997) | more than 3 years ago | (#35709826)

Now that's how a Bank should be handling this fiasco on the customer facing side. One wonders if they'll audit their suppliers a little better and more often.

Re:US Bank (0)

Anonymous Coward | more than 3 years ago | (#35710150)

Not if the email's any indication. Including a link to a banks domain in an email from the bank? You're not supposed to do that - and now that they've done it the scammers will have a higher success rate as people will think it's normal for the bank to do that.

Re:US Bank (1)

Cl1mh4224rd (265427) | more than 3 years ago | (#35709928)

I got the same email. Ironically, Thunderbird flagged it as a potential scam. Heh.

Re:US Bank (0)

Anonymous Coward | more than 3 years ago | (#35710986)

I'm wondering now if scammers will start using all these messages to piggy-back off of and send more scam emails.

Dear valued U.S. Bank customer,

Please click this link to confirm you are who you are.

U.S. Bank

just Best Buy so far, I thought it was phishing (1)

TrogL (709814) | more than 3 years ago | (#35709516)

Called the company to report a phishing attempt and they said no, it was legit.

List of victim companies (1)

Machtyn (759119) | more than 3 years ago | (#35709520)

I received two this morning. Best Buy and Robert Half. I'm sure there will be more coming. And I wonder what the impact will be. Really, the spam blocker hardware and software technology really do a decent job of reducing the trash.

Re:List of victim companies (1)

Rob the Bold (788862) | more than 3 years ago | (#35709798)

I received two this morning. Best Buy and Robert Half. I'm sure there will be more coming. And I wonder what the impact will be. Really, the spam blocker hardware and software technology really do a decent job of reducing the trash.

That's an interesting point. It's not like spammers have a lack of email addresses. Most spam to mine -- like yours -- is blocked by spam blockers at the POP level, not because my primary email address isn't already out there.

So were "they" after something more than just a collection of addresses they could have obtained in less dramatic ways? I have to suppose that more than just addresses were lost, because otherwise, what's the point?

At first I thought maybe they wanted more up-to-date and valid information. But would this collection be necessarily of any higher quality? Surely plenty of these addresses are no good anymore just do to address churn switching ISPs. Right?

Best Buy and Ameriprise, so far. (1)

ptbarnett (159784) | more than 3 years ago | (#35709524)

I'm expecting one from Walgreen's and Marriott soon.

Got one yesterday (1)

WreckDiver (685191) | more than 3 years ago | (#35709558)

Epsilon Informs AbeBooks of E-mail Database Breach

We have been informed by Epsilon, a third-party vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.

As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.

Wonderful. (4, Interesting)

bobdotorg (598873) | more than 3 years ago | (#35709578)

I cancelled my Chase accounts a month ago when they instituted a $120 a year fee on their 'Free Lifetime Checking' accounts.

And yet they retained and leaked my email address.

Can I charge them a $10 monthly fee for spam removal?

Re:Wonderful. (1)

kitsunewarlock (971818) | more than 3 years ago | (#35709690)

Did they sign a contract you made to that or another effect along the lines of "if I ever want to charge you, I will." (Of course they send prior notice...albeit usually in 5 point font in what feels like a spam mailing to encourage it being dumped and forgotten about.)

Re:Wonderful. (1)

v1 (525388) | more than 3 years ago | (#35709756)

yes chase seems to be in the business of driving away their customers nowadays. I took off when they decided to jack my interest rate from 9.9 to 18% for literally no reason.

Re:Wonderful. (1)

Jeremiah Cornelius (137) | more than 3 years ago | (#35709892)

Chase. What a great name! Chase your customers away!

I left them this week. The wife and I calculated the United rewards point we were supposedly accruing, versus the usurious increase in rates.

Let us just say that with our balance, it is cheaper to buy points at the ticketing kiosk.

Another bank we do business with will transfer the balance - at 0% for 1 year.

Re:Wonderful. (1)

Anonymous Coward | more than 3 years ago | (#35710102)

My favorite conversation ever with a credit card company.

"Hi my name is Jason, how can I help you."
"Yes I would like to remove this yearly fee on my credit card."
"I am not sure we can do that."
"By the end of this call the yearly fee for this credit card will be gone."
"Well sir by the terms of your contract we can not remove it."
"I would like another credit card that does not have it then."
"We can not do that right now."
"By the end of this call the yearly fee for this credit card will be gone."
"That is not possible to do."
"Yes it is. I would like to cancel the card."
"Oh yeah I guess that would get rid of the fee."

Re:Wonderful. (1)

FutureDomain (1073116) | more than 3 years ago | (#35710044)

Can I charge them a $10 monthly fee for spam removal?

No, but if you had a unique address for them at your own domain then you could bounce all the spam to one of their email addresses.

4 FOr me (0)

Anonymous Coward | more than 3 years ago | (#35709616)

4 - Chase, Best Buy, Robert Half, Ameriprise

already a casualty (1)

ArhcAngel (247594) | more than 3 years ago | (#35709618)

I just checked and somebody used my CITI card to buy several new large screen TVs and all sorts of electronic equipment. Guess I'll have to call this in....

Re:already a casualty (1)

Anonymous Coward | more than 3 years ago | (#35709650)

You used your CITI card number for your email address?

Re:already a casualty (0)

Anonymous Coward | more than 3 years ago | (#35709718)

You used your CITI card number for your email address?

whoosh

Re:already a casualty (1)

Svartalf (2997) | more than 3 years ago | (#35709836)

No... Some clients gave out more info than they ought to and it sat on Epsilon's databases.

Re:already a casualty (1)

ArhcAngel (247594) | more than 3 years ago | (#35710290)

While you are indeed correct I think the whoosh comment above is more fitting. Fortunately my cards thus far have been untainted. I will however be watching them like a hawk for the foreseeable future.

Re:already a casualty (1)

canajin56 (660655) | more than 3 years ago | (#35710412)

Epsilon said the breach was only names and email addresses, with the exception of a few clients who had member balances or other minor data included in their mailings (such as member points, where some sale flyers will tell you how many points you have to spend on these cool savings). CITI itself said the breach was only names and email addresses. So your conspiracy theory is that they are both lying, and the breach included credit card numbers. But, since both companies involved insist that they have checked and concluded it was only the mailing list, you must be getting your info from the other side! So, are you the hacker himself? Or are you just friends with the guys who stole this data?

Non-issue (0)

Anonymous Coward | more than 3 years ago | (#35709638)

Just one apology from Best Buy with the subject "Important Email Security Alert" (Don't most phishers use that same subject line? But if Best Buy has my email address, it is already my spam email box, which was published on the web years ago (Thanks Eric S. Raymond! Googling that email address only returns 43 hits.)

Two so far (1)

Rob the Bold (788862) | more than 3 years ago | (#35709724)

So far I've gotten two. Best Buy and Home Shopping Network.

I'd forgotten I'd even had accounts there. I wonder what other news of my past I'll be receiving this week.

One from Robelt Half (3, Informative)

wiredog (43288) | more than 3 years ago | (#35709740)

They have my email because they are tech headhunters, and I was unemployed a few years back.

 

Dear Valued Customer,

Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf.

We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@rhi.com.

Sincerely,

Robert Half Customer Care

Re:One from Robelt Half (1)

sajuuk (1371145) | more than 3 years ago | (#35709842)

Same here, I totally forgot I had applied for a job through them when I was hunting for work right out of college.

Email encryption (1)

rwa2 (4391) | more than 3 years ago | (#35709788)

Wasn't stuff like PGP / GPG supposed to solve all of email's problems by allowing people to use real email whitelists? Is there any effort to use public-private keyrings to sign email, so we can simply filter out all the spam that isn't signed by someone we don't know? If we actually used this stuff, they'd just have to revoke their private key (if it was among the data compromised) issue a new one (along with the apology) and be done... the email addresses wouldn't be of much further use to a spammer if people/procmail just ignored unsigned emails.

I'd hate to think that Facebook might become the de-facto replacement for email just because most of the webmail providers don't make it easier to set all that encryption stuff up.

Re:Email encryption (1)

Chemisor (97276) | more than 3 years ago | (#35710306)

Having webmail provide encryption has one obvious problem: you have to give the webmail provider your secret key, implying a level of trust you probably do not have for them. You could, of course, use Thunderbird and Enigmail, but that still will not help you check your mail on any computer that isn't yours. Then there's the hassle of convincing your friends to use encryption. That task pretty much becomes impossible once you mention that a passphrase will henceforth be required to send email. GPG goes to incredible lengths to prevent people from not setting a password on the secret key; an option that would have allowed me to enable encryption transparently. (Yeah, yeah, it's a security risk, but you know what? The threat of a local attack is exactly zero for most people) With all these inconveniences it is no wonder nobody does email encryption when it is so much easier to use plain webmail and not worry about it.

My stock reply: (1)

nitehawk214 (222219) | more than 3 years ago | (#35709810)

To every one of these I send this reply:

I hold your company directly responsible for this breach of privacy. I do not care that you place the blame with a 3rd party company.

I encourage everyone who receives these apology emails to do the same. Perhaps companies will care about privacy. (Ok, I don't really believe that. But it is a good test to see if anyone actually reads replies to these emails.)

Re:My stock reply: (1)

jaymz666 (34050) | more than 3 years ago | (#35709846)

Is it ironic that they used Epsilon to send these warning emails from?

Re:My stock reply: (0)

Anonymous Coward | more than 3 years ago | (#35710278)

You didn't expect them to stop, did you?

Your stock reply don't mean squat. (0)

Anonymous Coward | more than 3 years ago | (#35709974)

a) nobody at the "institution" gives a flying sh_t what you think.
b) nobody at the "institution" reads the replies from mass e-mail anyways.
c) nobody at the "institution" is sincere about that apology anyhow.

if you want to get their attention, get your torch and pitchforks out and storm the headquarter of the "institution." that will get their undivided attention REAL FAST (for a fraction of a minute,) of course, you might get shot by their rent-a-cop or the local PD...

Re:Your stock reply don't mean squat. (1)

nitehawk214 (222219) | more than 3 years ago | (#35710708)

Well the email to Best Buy bounced. So yeah, they really don't give a shit to the point where they don't even pretend to accept replies.

So far 3, but many more companies that I deal .... (1)

cjdavis618 (1809874) | more than 3 years ago | (#35709812)

with haven't notified me. This is more troublesome than the ones that have. I don't really worry about spam overall, but the like others said, the lack of credible information about the issue is annoying. Epsilon should be notifying us directly and furthermore, most of these companies agreed not to share our information with outside firms for marketing. Doesn't Epsilon qualify as an outside firm for marketing?

I wonder... (2)

jaymz666 (34050) | more than 3 years ago | (#35709814)

Did they use Epsilon to send out the security alert warning emails?

>Received: from
> by pimta03.epsiloninteractive.com

Looks like it.... Hmmm... what does that say about it?

Re:I wonder... (1)

Rob the Bold (788862) | more than 3 years ago | (#35709874)

Did they use Epsilon to send out the security alert warning emails?

>Received: from > by pimta03.epsiloninteractive.com

Looks like it.... Hmmm... what does that say about it?

If I were Best Buy or whoever, I would be telling Epsilon "you broke it, you fix it." Which in this case means -- at a minimum -- sending out these notices. So I'm really not surprised. Maybe surprised little at first.

I've got three. (1)

Ecuador (740021) | more than 3 years ago | (#35709828)

Disney Destinations, New York & Company, AbeBooks. I'm waiting to see how these addresses (each being a different one of course) will get used. Will it be spam, trojans, nigerian princes or something new and exciting? ;)

Tivo (1)

Xian97 (714198) | more than 3 years ago | (#35709866)

I received one from Tivo, and I haven't been a customer for over 2 years. I guess they still had my account info stored. It was actually my father's account, but since he doesn't have a computer we used my contact info.

Only one email... (1)

Cl1mh4224rd (265427) | more than 3 years ago | (#35709910)

I've only received one from US Bank on April 2 (two days ago). It was the first I had heard of the incident.

I've had spam by the thousands for 2 weeks... (1)

kaizendojo (956951) | more than 3 years ago | (#35709954)

and only found out why on Saturday.

credit card PIN and 3 digit verifier compromised (-1)

Anonymous Coward | more than 3 years ago | (#35710018)

I left my credit card at a bar, to "keep the tab open", and when I left they returned to me somebody else's card. After I went back to get my card the next day, I found that somebody had withdrawn every dime from my account (way over the $500 limit per day??). The only possible way this could happen is if they knew my PIN, and the fraud officer in charge of my case said it was probably MY fault because I gave them my PIN. Of course I didn't.

Probably, since I used that card for many Internet transactions, everything they needed to know was in some criminal database somewhere, and the bar owners (I suspect the bar itself) already knew they could drain my account after they swiped my card.

Attacks and disclosures of sensitive information continue, but where are the credit card companies? They need to increase the security of their cards. A simple number on a magnetic strip and a code on the back of the card are NO LONGER GOOD ENOUGH. They need to improve their product or people might stop using credit cards. I myself now use mostly cash, and I don't buy things over the Internet any more, because really, why should I trust ANY vendor? Even if I trusted them, when they get hacked, which they eventually will, what can they do? My information is already in the hands of the bad guys.

Re:credit card PIN and 3 digit verifier compromise (1)

Eric(b0mb)Dennis (629047) | more than 3 years ago | (#35710444)

Check it out, there's no catch all 'criminal database' full of people's credit cards and PIN numbers. If this was the case, a group could simply use this list to make everyone aware of the impending fraud...

Most 'carding' activity is done via forums and IRC.. where credit card dumps (dumps of the magnetic strip) and numbers/info are SOLD for anywhere from $1-$5 each, depending on the value of the card in question.. and if it's a dump or just information. The dumps can be used to 'write' the information to blank magstrips (other credit cards, hotel key cards) with the right hardware.

The only way these criminals withdrew the money from your account was with your PIN number. The fraud officer was right. You can make purchases without a PIN using the credit aspect of a card, but you CANNOT withdraw money.. You can't even get 'cash back' without using the ATM part of the card. Somewhere along the lines you must've disclosed your PIN number. Can't you contact the establishments where the money was taken (where teh ATM or whatever device was used to obtain the money) they almost universally have cameras on them now.. for the fact that you can say 'that wasn't me' and request a camera shot of the person taking the money out... with that evidence in hand it's usually very easy from there to get the charges removed.

One from Chase (0)

Anonymous Coward | more than 3 years ago | (#35710042)

I got this email from Chase:

Note: This is a service message with information related to your e-mail address.

Chase is letting our customers know that we have been informed by
Epsilon, a vendor we use to send e-mails, that an unauthorized
person outside Epsilon accessed files that included e-mail addresses
of some Chase customers. We have a team at Epsilon investigating
and we are confident that the information that was retrieved included
some Chase customer e-mail addresses, but did not include any
customer account or financial information. Based on everything we
know, your accounts and confidential information remain secure. As
always, we are advising our customers of everything we know as we
know it, and will keep you informed on what impact, if any, this
will have on you.

We apologize if this causes you any inconvenience. We want to
remind you that Chase will never ask for your personal information
or login credentials in an e-mail. As always, be cautious if you
receive e-mails asking for your personal information and be on the
lookout for unwanted spam. It is not Chase's practice to request
personal information by e-mail.

s a reminder, we recommend that you:
- Don't give your Chase Online(SM) User ID or password in e-mail.

- Don't respond to e-mails that require you to enter personal
    information directly into the e-mail.

- Don't respond to e-mails threatening to close your account if you do
    not take the immediate action of providing personal information.

- Don't reply to e-mails asking you to send personal information.

- Don't use your e-mail address as a login ID or password.

The security of your information is a critical priority to us and we
strive to handle it carefully at all times. Please visit our Security
Center at chase.com and click on "Fraud Information" under the "How to
Report Fraud."
http://notifications1.chase.com/244387027.3709.0.782
It provides additional information on exercising caution
when reading e-mails that appear to be sent by us.

Sincerely,

Patricia O. Baker

Senior Vice President

Chase Executive Office
----

If you want to contact Chase, please do not reply to this message,
but instead go to Chase Online. For faster service, please enroll or
log in to your account. Replies to this message will not be read or
responded to.

Your personal information is protected by advanced technology. For
more detailed security information, view our Online Privacy Notice:
http://notifications1.chase.com/244387027.3709.0.563
To request in writing: Chase Privacy Operations, P.O. Box 659752,
San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
(C) 2011 JPMorgan Chase & Co.

LCEPAEM0311

Brave New Marketing Services (4, Funny)

AdamThor (995520) | more than 3 years ago | (#35710072)

Arrrrg! Freaking Epsilons! Never send an Epsilon to do Alpha work, I guess.

Re:Brave New Marketing Services (1)

dstyle5 (702493) | more than 3 years ago | (#35710560)

Don't blame the Epsilons, even Alphas can have their blood-surrogate tainted before decanting.

Re:Brave New Marketing Services (1)

AdamThor (995520) | more than 3 years ago | (#35710714)

*glances involuntarily at Bernard*...

Re:Brave New Marketing Services (0)

Anonymous Coward | more than 3 years ago | (#35710700)

Here, have some Soma.

One from Citi this morning... (1)

sillivalley (411349) | more than 3 years ago | (#35710320)

Citi hasn't been doing too well on these things recently; they've replaced our cards twice in the last few months.

Outsourcing saves companies money because the outfit that takes the business can achieve better economies of scale -- yeah, they can compromise tens of millions of accounts at once for multiple firms, rather than the measly million or two that would have been screwed otherwise...

Good thing I use unique passwords. (0)

Anonymous Coward | more than 3 years ago | (#35710468)

I've gotten two emails today... One from TiVo, and one from Chase Bank.

Thrilling.

NONE. (0)

neo (4625) | more than 3 years ago | (#35710494)

Thankfully I don't work for any of those slave shops. I knew I should have taken the blue pill.

Is it a breach? (1)

dir-wizard (549259) | more than 3 years ago | (#35710504)

.. If the client companies already sold their email lists to various marketing firms?

Doesn't matter (1)

Zoinky (915530) | more than 3 years ago | (#35710540)

I use two email addresses, one that I provide to companies that I do business with, and one that I use for personal correspondance and everywhere else online (public forums, etc.). The "business" email has always received much more spam than the one I use and give out liberally everywhere else online. Looks to me like they're just sorry that someone got my email address for free, rather than them being able to sell my address to another one of their "partners".

The answer (0)

Anonymous Coward | more than 3 years ago | (#35710726)

How many apology emails have you got so far today?

Three. I made sure I was removed from their lists.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>