U.S. asked to investigate Epsilon breach
E-mail services giant's data exploited by spear-phishing attack, one report states
- By Kevin McCaney
- Apr 07, 2011
The U.S. attorney general’s office is being asked to investigate the breach of e-mail service provider Epsilon, which sends about 40 billion marketing e-mails a year on behalf of 2,500 clients.
The company reported on April 1 that a “subset” of its client data had been exposed. Since then, many of the companies Epsilon proves services to – which includes clients such as City, Disney, the College Board and Walgreens – have notified people on their mailing lists about the breach, warning them to be on guard against phishing attacks.
The company said about 50 of its clients were affected, according to a report in Fast Company. The information stolen reportedly included names and e-mail addresses but no other personal information.
RSA hack exploited Flash vulnerability
The cure is known, but the cyber disease persists
Epsilon has not given many other details on the breach, but the Australian website ITnews reported that the breach resulted from a four-month-old spear-phishing attack – which Epsilon was aware of – aimed at employees of e-mail service providers.
The phishing attacks used social engineering tricks, such as an e-mail from a supposed old friend inviting the recipient to view her wedding pictures. The link to the pictures would download malware that disabled antivirus software, stole passwords and gave administrator control of the computer to hackers, ITnews reported.
In light of the potential extent of the breach, Sen. Richard Blumenthal (D-Conn.) has asked U.S. Attorney General Eric Holder to investigate Epsilon for “possible civil and criminal liability” in the incident and called on Epsilon to be more forthcoming with information.
“If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years,” Blumenthal wrote in his request.
He pointed out that Epsilon’s customers have notified people of the breach, but that Epsilon has not even released a list of the companies affected.
Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.