Home > Identity Theft > The End of Digital Innocence: What Does the Epsilon Breach Mean?

Comments 0 Comments

A Focused Attack

A hacker who has your email address, and your name, and the names of the businesses with whom you have relationships can launch truly insidious “spear phishing” attacks and, who knows, in a moment of acquisition ecstasy or carelessness you might just bite. In response to a very personalized email, people are much more likely to reveal truly personal information, or click on attachments far more venomous than the usual ham-handed and misspelled spam letters. Our whole lives are contained in our email files, as well as any confirmations of changes in our digital existence (and lest we forget, all password changes are confirmed back to our email). So when you innocently click on what appears to be an official memo, or email your BFF (or community thereof) to share the news about that great new car you just bought, voila!, you just provided another gateway to your digital soul, and handed a very clever and patient thief yet another piece of the puzzle they so lovingly cobble together in order to become you for their benefit. In the digital age, your email address, unique and personal to you, is as much of a unique identifier as your Social Security number. In fact, your email address may allow you to be financially “profiled” by very criminal minds.

“When one has tens of millions of email addresses and an effective spear-phishing strategy, even if only a low percentage of targets respond, we are still looking at millions of people who could unintentionally release their personal information to the wrong people, or unknowingly click on a malicious link that installs malware on their computer,” says Ondrej Krehel, information security officer at Credit.com’s sister company, Identity Theft 911. “Worse yet, these emails can be sent from all of their affiliations in the Epsilon database, perhaps on a weekly basis. The magical combination of customer emails and their affiliations with institutions gives hackers a more direct route for monetization.”

[Resource: Determine your exposure to identity theft with the free Identity Risk Score]

The Epsilon breach was the most high profile, yet not most potentially devastating, breach to happen in the last few weeks. In March, RSA Data, a provider of information security, risk and compliance solutions, also announced—rather grudgingly and in abstruse terms—a major security breach. Even now, no one knows the full extent of that breach. But a clearer picture is emerging of how it happened. An innocent (not terribly prescient) employee of RSA actually opened an attachment to an email with the subject line “2011 Recruitment Plan.xls” even though he found it in his junk mail file. The attachment contained a virus which enabled the hackers to probe him and others for a couple of days, using their email contacts and information to dig deeper and deeper into the mysterious world of RSA until ultimately they isolated the right high access players who were the gateway to a very discrete section of the RSA system.

I am not talking here about some guy sending annoying spam to folks at RSA for his amusement. It was an “advanced persistent threat” attack that targeted their SecurID two-factor authentication product. Relentless, patient hackers spear-phished RSA employees using sophisticated and clandestine means to gain continual, persistent intelligence, according to a recent blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.

There is a theory that this was a state-sponsored hacking by a foreign government. Another theory, too, is that it’s corporate espionage, in which globally divided superpowers compete for intellectual property.

Not About the “Quick Hit” Anymore

For years we have been telling people that unless you are talking credit card or account compromise, it is not about the quick hit. Now that affected institutions have taken Paul Revere’s ride through their customer base, it is not a slam dunk that millions of consumers will be instantly spear-phished.

Identities are currency. They are evergreen. Like fine wine they get better with age.

The trajectory of this crime is much more subtle. It will be done over time by very calculating and patient hackers adding one piece of the puzzle at a time. Over a period of months, even years, email will arrive from impostors posing as businesses representing all aspects of our lives. They will ask for a tad of information here and there, offer a link to an irresistible deal, call upon us to make an impulsive decision and provide some personal identifying information in return for a product or service we can’t live without. They will engage us, attempt to garner our trust, compromise our information or turn our computers into transmitters of account numbers and passwords.

[Related: A Look Back at Identity Theft Trends]

With that firmly in mind, there are several things we must do: we must better secure our computers, be more skeptical and less forthcoming. We must read, think and evaluate the logic and value of the request and the reward before we click on any button other than “delete.”

So maybe Epsilon was aptly named. As it turns out, the company became entrenched in something out of a spy novel, and it certainly demonstrates “elasticity” of information, doesn’t it? Ronald Reagan wisely said in a different context “trust but verify.” He was talking about nuclear arms, but our subject can also be deadly—fiscally—on a grand scale. The sad truth is that in the digitally dominated 21st century, you can forget about the trust part. Verify and protect everything. Always. Vigilantly. The World Wide Web is not a court room, but you can easily be made an innocent victim without due process.

Pages: 1 2

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Certain credit cards and other financial products mentioned in this and other sponsored content on Credit.com are Partners with Credit.com. Credit.com receives compensation if our users apply for and ultimately sign up for any financial products or cards offered.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team