Epsilon e-mail hack: How you can protect yourself

Most of the time I only hear from my credit card companies when I owe them money or when they want to sell me a new service. That's changed; now I'm being bombarded with notes telling me that a company I never heard of has been successfully hacked and these still unknown bad guys now have my name and e-mail address -- and maybe more.

If you've been paying any attention to the news lately, you know I'm talking about Epsilon, a huge outsourcer that sends e-mail of all kinds to customers of major financial services and retailers. Say you get an offer for a new card from Capital One, or for a special vacation deal from Marriott Rewards; that e-mail was actually sent by Epsilon. To do its job, Epsilon stores data about the customers of its customers -- in other words, you and me.

A partial list of companies whose data was compromised (that's the polite term) includes JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, and Walgreens. Larry Ponemon, a security expert interviewed by the New York Times, estimates that thieves obtained the names or e-mail addresses of 100,000 customers at each of 50 clients. No doubt there's overlap in those lists, but that's still millions of people.

Epsilon E-Mail Breach: 4 Unanswered Questions

By and large you're hearing that you shouldn't panic if you get a note from one of your credit card providers saying they've been hacked. That's because Epsilon has stated that only e-mail addresses and names were stolen. By themselves, that's not enough information to obtain really sensitive information like the password to your checking account.

I won't question the truthfulness of Epsilon's disclosure, but I'm not entirely convinced of its accuracy. The really skilled hack is invisible to the victim. But let's assume that all that was stolen was what Epsilon said was stolen. There's still reason to be concerned.

Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911, calls e-mail addresses the "social security number of the digital age." By that he means that many Web sites use an e-mail address as the user name. If that's the case, the hackers are half way into your account simply by knowing your e-mail address. (Remember, they know you're a customer of say, Chase, because that information was stolen from Epsilon.)

It's important to note that hacking has long since ceased to be about juvenile fun and games. Modern hackers are generally out to make money, and often work as part of organized, international gangs. You can be sure that whoever stole that information is hoping to make a substantial profit.

Here are two ways the bad guys may make use of that information, and what you can do to protect yourself.

Spear Phishing Attacks

You've probably heard of phishing. Simply put, that means luring a user to a site that's either a spam advertisement or one that has been infected with malware. It's called phishing because the hackers are fishing for victims. Spear phishing, though, is more insidious. Rather than send out an utterly random email to random victims, the spear phisher targets (or spears) a specific class of people, or sometimes even specific individuals, by using information about them to make the bogus pitch seem genuine.

Spearphishing Worries Follow Epsilon Breach

So if the hackers who broke into Epsilon learned that you have an account at Chase, you might well get an e-mail that looks like it came from Chase. Typically, that type of fraudulent e-mail would ask you to supply some sort of personal data, like your birthday or even a password to "verify" you account info. Often those e-mails are breathlessly urgent, saying that your account will be shut down immediately if you don't respond.

The defense is simple: Ignore e-mails asking you to supply personal information. No reputable company or e-mail provider will ask you for it.

Password Hacking

Guessing someone's password isn't always very hard. As a backup for forgetful users, many sites have so-called security questions, like "the name of my high school was" or "my favorite pet is." As Credit.com's Levin points out, "In the Facebook age, it's not difficult to figure out someone's high school or mother's maiden name." That's a great point.

Levin suggests answering those question prompts with information that's totally unrelated, like: "My pet's name is --- Omaha, Nebraska." But how would you remember that? At the very least, though, make those answers a lot tougher, or even decline to give yourself those hints.

Serious hackers don't sit around guessing your password; they use automated programs to do the hard work. That means you've got to stop using the same password over and over. As bad as it would be to have your checking account hacked, how would you like it if that same password open the door for hackers to access your retirement and investment accounts?

As you've no doubt heard, you should use strong passwords, which means they should be long, have letters, numbers and characters (like % or #) scattered randomly within them. And do not use your birthday or the names of your kids.

Drowning in Passwords: Tips and Tools to Stay Safe and Sane

Of course, you'll never remember those strong passwords, so I suggest using a password manager. I've recommended Roboform in the past and have recently heard good things about Last Pass, though I haven't tried it yet.

When you visit a site and fill in the username and password, the manager will remember them, and fill them in for you the next time you're there. You only have to remember a master password. Some of those programs will even generate a random password for you. Use it; it's likely to be stronger than anything you dream up.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at bill.snyder@sbcglobal.net.

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitydata breachEpsilon

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Bill Snyder

Show Comments





Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?