Here is the list of companies that have notified me to date:
- Best Buy, 4/4
- Verizon, 4/5
- TIAA-CREF, 4/6
- Chase, 4/6
- M&T Bank, 4/8
So the bad guys have many e-mail addresses, and can connect individuals to accounts. So what? Well apparently some people are getting phishing mails claiming to be from organizations that have lost data through Epsilon. So what? Well, this will make it easier to tailor and target phishing attacks more precisely.
Clearly data leaks all the time. Excerpted from a recent posting by Martin McKeay: I’m no longer surprised when I go into an assessment and somewhere halfway through a conversation a manager says, “Wait a minute, why haven’t I haven’t heard of this data repository/network connection/export to sales before now?” But this is a shallower problem, not an inadvertent leak to marketing or sales, but an intentional transfer of data to an outside organization unable to protect the data.
The situation is exacerbated for Verizon customers since Verizon encourages users to log in to its site without SSL/TLS. So, if users think that a picture of a padlock and the word "secure" next to the login text boxes actually indicates anything they will be more vulnerable to phishing. Surprisingly, Verizon is the only organization from this list training users to ignore TLS. A few years ago this seemed more common, though I have just a very small sample here.
IMHO the Chase leak is the most egregious, since I have had no dealings with them since canceling my card in March 2008. I guess they consider me a potential future customer, but since I do not have a current relationship with them, it would be nice if they would delete my info. I managed to log in to my dormant Chase account, but cannot send them a "secure message" because every attempt results in "Error 500:", which looks like there should be a description after the error number. Yes, I remain unimpressed with the competence of Chase.