SECURITY ADVISORY: Epsilon Breach Could Increase Spear Phishing Attacks-School of Architecture - Carnegie Mellon University

Monday, April 11, 2011

SECURITY ADVISORY: Epsilon Breach Could Increase Spear Phishing Attacks

(US Eastern Time)
DAY: Friday
DATE: April 8, 2011

Epsilon, a service provider that manages email communications for many companies, reported last week that it suffered a security breach that exposed names and email addresses for some of its clients' customers.

Although Epsilon has indicated that no other personally-identifiable information  was put at risk, the compromised information could be used to send spam, phish, or malware-infected email. Most concerning is a type of phishing known as "spear phishing," whereby a phisher exploits a trust relationship to convince you to supply sensitive data like your login ID and password, credit card data, or banking information.  Your name, email, and the name of a company that you do business with provide all the ingredients for a successful spear-phishing attack.

What Should You Do?

Be on the alert for an increase! in unexpected email that might ask you to verify accounts, update personal information, or send your password either via Web links or in direct reply to the email, especially from senders purporting to be from one of the companies impacted by the Epsilon breach.

Do not respond to suspicious email and do not click on any links. Do not open attachments that you don’t expect without verifying with the sender first.   

Learn how to spot phishing attempts by spending ten minutes playing the Anti-Phishing Phil and Phyllis games available on the Information Security Office's website:

Affected Companies

While the list of companies impacted by this breach continues to grow, some of the companies impacted include Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlt! on Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, and Best Buy. A more complete list of organizations that appear to be impacted by this breach is available at:

Since the time that the Epsilon breach was detected, affected companies have started notifying affected individuals, while working with federal authorities to fully investigate the breach. If any of your email accounts (including your university email account) were affected, you may receive one or more notices.  

Whom to Contact

Please direct any questions or comments to the Computing Services Help Center (412-268-HELP or or to your departmental administrator or DSP consultant.

Computing Services
Carnegie Mellon University