Monday, April 11, 2011
SECURITY ADVISORY: Epsilon Breach Could Increase Spear Phishing Attacks(US Eastern Time)
DATE: April 8, 2011
Epsilon, a service provider that manages email communications for many companies, reported last week that it suffered a security breach that exposed names and email addresses for some of its clients' customers.
Although Epsilon has indicated that no other personally-identifiable information was put at risk, the compromised information could be used to send spam, phish, or malware-infected email. Most concerning is a type of phishing known as "spear phishing," whereby a phisher exploits a trust relationship to convince you to supply sensitive data like your login ID and password, credit card data, or banking information. Your name, email, and the name of a company that you do business with provide all the ingredients for a successful spear-phishing attack.
What Should You Do?
Be on the alert for an increase! in unexpected email that might ask you to verify accounts, update personal information, or send your password either via Web links or in direct reply to the email, especially from senders purporting to be from one of the companies impacted by the Epsilon breach.
Do not respond to suspicious email and do not click on any links. Do not open attachments that you don’t expect without verifying with the sender first.
Learn how to spot phishing attempts by spending ten minutes playing the Anti-Phishing Phil and Phyllis games available on the Information Security Office's website: http://www.cmu.edu/iso/aware/.
While the list of companies impacted by this breach continues to grow, some of the companies impacted include Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlt! on Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, and Best Buy. A more complete list of organizations that appear to be impacted by this breach is available at:
Since the time that the Epsilon breach was detected, affected companies have started notifying affected individuals, while working with federal authorities to fully investigate the breach. If any of your email accounts (including your university email account) were affected, you may receive one or more notices.
Whom to Contact
Please direct any questions or comments to the Computing Services Help Center (412-268-HELP or firstname.lastname@example.org) or to your departmental administrator or DSP consultant.
Carnegie Mellon University