Epsilon e-mail hack: How you can protect yourself

Most of the time I only hear from my credit card companies when I owe them money or when they want to sell me a new service. That's changed; now I'm being bombarded with notes telling me that a company I never heard of has been successfully hacked and these still unknown bad guys now have my name and e-mail address -- and maybe more.

If you've been paying any attention to the news lately, you know I'm talking about Epsilon, a huge outsourcer that sends e-mail of all kinds to customers of major financial services and retailers. Say you get an offer for a new card from Capital One, or for a special vacation deal from Marriott Rewards; that e-mail was actually sent by Epsilon. To do its job, Epsilon stores data about the customers of its customers -- in other words, you and me.

A partial list of companies whose data was compromised (that's the polite term) includes JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, and Walgreens. Larry Ponemon, a security expert interviewed by the New York Times, estimates that thieves obtained the names or e-mail addresses of 100,000 customers at each of 50 clients. No doubt there's overlap in those lists, but that's still millions of people.

Epsilon E-Mail Breach: 4 Unanswered Questions

By and large you're hearing that you shouldn't panic if you get a note from one of your credit card providers saying they've been hacked. That's because Epsilon has stated that only e-mail addresses and names were stolen. By themselves, that's not enough information to obtain really sensitive information like the password to your checking account.

I won't question the truthfulness of Epsilon's disclosure, but I'm not entirely convinced of its accuracy. The really skilled hack is invisible to the victim. But let's assume that all that was stolen was what Epsilon said was stolen. There's still reason to be concerned.

Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911, calls e-mail addresses the "social security number of the digital age." By that he means that many Web sites use an e-mail address as the user name. If that's the case, the hackers are half way into your account simply by knowing your e-mail address. (Remember, they know you're a customer of say, Chase, because that information was stolen from Epsilon.)

It's important to note that hacking has long since ceased to be about juvenile fun and games. Modern hackers are generally out to make money, and often work as part of organized, international gangs. You can be sure that whoever stole that information is hoping to make a substantial profit.

Here are two ways the bad guys may make use of that information, and what you can do to protect yourself.

Spear Phishing Attacks

You've probably heard of phishing. Simply put, that means luring a user to a site that's either a spam advertisement or one that has been infected with malware. It's called phishing because the hackers are fishing for victims. Spear phishing, though, is more insidious. Rather than send out an utterly random email to random victims, the spear phisher targets (or spears) a specific class of people, or sometimes even specific individuals, by using information about them to make the bogus pitch seem genuine.

Spearphishing Worries Follow Epsilon Breach

So if the hackers who broke into Epsilon learned that you have an account at Chase, you might well get an e-mail that looks like it came from Chase. Typically, that type of fraudulent e-mail would ask you to supply some sort of personal data, like your birthday or even a password to "verify" you account info. Often those e-mails are breathlessly urgent, saying that your account will be shut down immediately if you don't respond.

The defense is simple: Ignore e-mails asking you to supply personal information. No reputable company or e-mail provider will ask you for it.

Password Hacking

Guessing someone's password isn't always very hard. As a backup for forgetful users, many sites have so-called security questions, like "the name of my high school was" or "my favorite pet is." As Credit.com's Levin points out, "In the Facebook age, it's not difficult to figure out someone's high school or mother's maiden name." That's a great point.

Levin suggests answering those question prompts with information that's totally unrelated, like: "My pet's name is --- Omaha, Nebraska." But how would you remember that? At the very least, though, make those answers a lot tougher, or even decline to give yourself those hints.

Serious hackers don't sit around guessing your password; they use automated programs to do the hard work. That means you've got to stop using the same password over and over. As bad as it would be to have your checking account hacked, how would you like it if that same password open the door for hackers to access your retirement and investment accounts?

As you've no doubt heard, you should use strong passwords, which means they should be long, have letters, numbers and characters (like % or #) scattered randomly within them. And do not use your birthday or the names of your kids.

Drowning in Passwords: Tips and Tools to Stay Safe and Sane

Of course, you'll never remember those strong passwords, so I suggest using a password manager. I've recommended Roboform in the past and have recently heard good things about Last Pass, though I haven't tried it yet.

When you visit a site and fill in the username and password, the manager will remember them, and fill them in for you the next time you're there. You only have to remember a master password. Some of those programs will even generate a random password for you. Use it; it's likely to be stronger than anything you dream up.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at bill.snyder@sbcglobal.net.

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Epsilon

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Bill Snyder

Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?