A massive data breach at an Internet marketing company has compromised the personal information of customers at some of the nation’s largest banks, retailers and grocery stores. The number of people whose information was exposed is not yet known.
The breach occurred at Epsilon, which handles marketing and e-mail communications with customers for major corporations including Citibank, Best Buy and the Kroger grocery chain. Epsilon did not return calls seeking comment.
But according to a company statement on April 1, an unauthorized user gained access to a portion of Epsilon’s e-mail system. Security Week reports the list of companies affected by the breach includes Citibank, JP Morgan Chase, US Bank, Kroger, Walgreens, Best Buy and TiVo.
So what’s the big deal about having your e-mail information breached, particularly in this case? As Security Week points out, hackers gained access to the companies’ customer lists. This gives them the advantage of tying your full name and e-mail to the companies and financial institutions of which you’re a customer. They can use this information to give a sense of legitimacy to bogus (but usually very official-looking) e-mails in which they ask you for passwords or other sensitive information. This is what’s known as “spear phishing.” Here’s an excellent guide on spotting and avoiding Internet scams.
[Related article: How to Spot, and Avoid, Internet Scammers]
In related news, a restaurant company that failed to protect its patrons’ personal information agreed to pay a $110,000 fine for failing to follow Massachusetts’ tough data privacy law. The Briar Group owns popular bars and restaurants around Boston including MJ O’Connor’s, The Lenox, Ned Devine’s, The Harp and The Green Briar.
“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” Attorney General Martha Coakley said in a press release. “Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”
The company put the credit card information of tens of thousands of people at risk of identity theft, according to the release. Hackers installed software on the company’s computer systems in April 2009 to steal customers’ credit and debit card information; the malware wasn’t removed until December 2009.
Nevertheless, it continued to accept credit and debit cards even after it knew of the breach, according to the release. The company also failed to secure its in-store computers.
[Identity Theft: Free Identity Risk Score and profile from Credit.com]