Wednesday, April 6, 2011

Epsilon Evolves

Last weeks security breach at Epsilon Interactive, an Alliance Data Systems Corporation out of  Texas was well reported in the information security news, but I haven't seen too much information in the mainstream news, which apparently reflects an ignorance in consumers and provides an area for education for those in Information Security.


A short list of the customers of Epsilon's marketing services read's like a Who's Who of companies that most consumers deal with on a daily basis. When I see this list, it makes me wonder what due diligence the companies did to ensure that Epsilon follows best-practices for information security. Anyway, this list includes:

  • Capitol One
  • Citi
  • JP Morgan Chase
  • U.S. Bank
  • Barclays Bank of Delaware
  • Ameriprise Financial
  • Robert Half International
  • Ritz Carlton Rewards
  • Marriott Rewards
  • Hilton Hotels
  • Red Roof Inn
  • McKinsey & Co.
  • Meijer
  • Home Shopping Network
  • AbeBooks
  • New York & Company
  • Brookstone
  • Walgreen's
  • Kroger
  • BeachBody
  • The College Board
  • LL Bean
  • TigerDirect
  • Bebe
  • Benefit Cosmetics
  • Disney Destinations
  • Lacoste
  • Best Buy (Reward Zone/Credit Cards)
  • Ethan Allen
  • 1-800-Flowers.com
  • The Home Depot
  • Verizon
  • Best Buy
  • TiVo


I, like many people, have several email addresses such as one for work, one for personal use, etc. Incidents like the Epsilon breach serve to show us that we have to be more proactive in giving out our data. Yes, the company that we give our information to may just use it for "internal purposes" and yes, you may have "opted out" of any email correspondence (which probably just means that there is a field in a database that says to not contact you), but the fact of the matter is that they still have the information and if it falls into the wrong hands, it's as good as public. This information can (and will be) sold and used for spear phishing attacks, which are attacks tailored and targeted to you based upon the information that the attacker has.

So, what can we do as consumers?

Don't give out personal information. I know that some places make it "mandatory", but how about getting a PO Box for these instances?

Use your initial instead of your first name on a form.

Have a separate email address that you use for businesses, forms, marketing, etc.

Use different passwords that are unique to each company that you deal with, so if a list with your information is compromised, the attackers do not have THE password that you use for everything, including banking.

Lastly, we can also demand that Epsilon discloses the depth and details of the breach.

No comments:

Post a Comment