Sunday, April 10, 2011

Epsilon, No Delta

A number of organizations with which I have (or had) financial relations have recently sent e-mails saying they have lost some of my personal information. At first I was unconcerned, because the impression I got was that it was just my e-mail address, and it was just Best Buy, or just Best Buy and Verizon, or just Best Buy, Verizon, and TIAA-CREF, or, well, around the time I got the TIAA-CREF mail I started to get concerned. This is a major financial institution, and, one might hope, one not cavalier about my personal information.

Here is the list of companies that have notified me to date:
  • Best Buy, 4/4
  • Verizon, 4/5
  • TIAA-CREF, 4/6
  • Chase, 4/6
  • M&T Bank, 4/8
All of these organizations, and I'm sure others, are informing their customers that an apparently inept contractor called Epsilon has lost their e-mail addresses. The first thing to note is that the financial institutions were the slowest to inform me. This may be just coincidence, but it is easy to believe that Best Buy was more responsive than M&T Bank. Kudos of a wry sort to Best Buy.

So the bad guys have many e-mail addresses, and can connect individuals to accounts. So what? Well apparently some people are getting phishing mails claiming to be from organizations that have lost data through Epsilon. So what? Well, this will make it easier to tailor and target phishing attacks more precisely.

Clearly data leaks all the time. Excerpted from a recent posting by Martin McKeay: I’m no longer surprised when I go into an assessment and somewhere halfway through a conversation a manager says, “Wait a minute, why haven’t I haven’t heard of this data repository/network connection/export to sales before now?” But this is a shallower problem, not an inadvertent leak to marketing or sales, but an intentional transfer of data to an outside organization unable to protect the data.

The situation is exacerbated for Verizon customers since Verizon encourages users to log in to its site without SSL/TLS. So, if users think that a picture of a padlock and the word "secure" next to the login text boxes actually indicates anything they will be more vulnerable to phishing. Surprisingly, Verizon is the only organization from this list training users to ignore TLS. A few years ago this seemed more common, though I have just a very small sample here.

IMHO the Chase leak is the most egregious, since I have had no dealings with them since canceling my card in March 2008. I guess they consider me a potential future customer, but since I do not have a current relationship with them, it would be nice if they would delete my info. I managed to log in to my dormant Chase account, but cannot send them a "secure message" because every attempt results in "Error 500:", which looks like there should be a description after the error number. Yes, I remain unimpressed with the competence of Chase.

No comments: