Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
E-mail breach Has it hit just about everyone
MADISON, Wis. (4/11/11)--Almost everyone seems to know someone whose name and e-mail address was among the millions compromised in a hacking of Epsilon, the world's largest e-mail marketer. Security experts and credit unions warned last week that consumers will see a sharp hike in phishing e-mails--especially targeted or "spear" phishing. Just how big is this breach, and how will it affect credit unions and members? Some say it likely will top the largest breach in history--the Heartland Payment Systems breach of 40 million accounts disclosed in 2009. Epsilon's parent company, Alliance Data Systems Corp., discovered the breach on March 30 and said it affects roughly 2% of its 2,500 clients. However, more and more of its clients are notifying their customers they were among the addresses compromised. Epsilon's clients include some of the world's largest retailers, banks and financial service companies, and telecommunications companies: Capital One Financial, Barclays Bank, U.S. Bancorp, Citigroup, Ameriprise Financial and JPMorgan Chase, Verizon, Charter Communications, TiVo, Best Buy, Walgreens, Kroger and Kraft Foods (AOL's and New York Post April 4, April 3 and April 8). Both security experts News Now interviewed agreed that the breach's impact will grow. "There's not a final answer yet [as to how many names and addresses were compromised] but likely it is more widespread than initially believed," said Brian M. Otte, senior vice president of corporate development at Perimeter, a security solutions firm headquartered in Milford, Conn., and a CUNA Strategic Services provider. Jay Liebe, director of integration at Las Vegas-based Switch SuperNAP, a provider of facility and network security and a CUNA Strategic Services provider, agreed. "I absolutely don't believe that all the problems have been disclosed," Liebe said, noting that Epsilon is "clearly on damage control, much like those in charge of Japan's nuclear reactors" affected by the catastrophe there. The breach's direct effect on the credit union market is not yet clear. "Initially, it was a couple of companies, but now it is effecting more and more companies," Otte said. Is the type of information stolen that serious? Opinions vary. Otte points out that names and addresses can be easily found through other sources and emphasized that "no financial information has been compromised. However, the hackers have access to e-mails and will use them to phish--an action that involves sending phony e-mails and collecting numbers from unsuspecting consumers." Names and e-mail addresses are all a hacker needs to send "targeted" phishing attacks against a specific brand. While many phishing expeditions rarely hit recipients who are actually customers of the company they claim to be, targeted phishing ensures recipients are customers of the company they're attacking. And that could trick recipients into disclosing more information that can be used in identity theft. Liebe says the breadth of scale of the companies involved indicates Epsilon was "careless" about differentiating different industries' information. "Clearly Epsilon had to have a flaw in its architecture to expose the kind of data it did and to expose such a wide area," he said. "There are many wonderful companies in credit unions' space who do a phenomenally successful job with security so they are able to protect their members' data," he told News Now. The fact that Marriott, Verizon and bank data are lumped together indicates they may not have treated sensitive banking data differently, Liebe said. "The data they had relate to their businesses, and Epsilon mixed it all together. I don't believe credit unions as a whole have their marketing services in that kind of setup." Both experts said credit unions can take specific steps to make sure their members don't succumb to the wiles of the people who hacked Epsilon's database. "First, they should alert their members and explain that they are not going to ever be asking for any sensitive information. Train members not to respond to the e-mails, not to give out their passwords, not to give out their Social Security numbers," Otte said. "Second, get an anti-phishing system or service so the credit union can be proactive in tracking to see if any phishing schemes are using their name," Otte added. Liebe advised that "credit unions share [with members] the hard work they do with security providers to make sure the data can't be shared and compromised. Credit unions don't give their data out like Epsilon did."
Other Resources


News Now LiveWire
.@NACHAOnline report: ACH volume increases to 23B payments in 2014
1 day ago
.@CUNA's @HampelBill in @washingtonpost on options for wary mortgage borrowers:
7 seconds ago
Housing starts thaw, mortgage rates stand pat #Market #NewsNow
38 minutes ago
.@CUNA files #RBC2 comment, urges #CU system to be heard #NewsNow
45 minutes ago
#NewsNow Youth Month attracts 100,000th member for Mich. CU
1 hour ago