Published Date 4/6/11 9:24 AM
A massive data breach at a US-based online marketing firm exposed customer names and e-mail addresses to hackers, prompting security experts to surmise the information could be used in targeted phishing attempts known as spear phishing. The breach involved the Epsilon unit of Alliance Data Systems Corp., which sends more than 40 billion permission-based e-mails to individuals who register at a company’s website or provide their e-mail addresses when shopping. The company has only slowly disclosed information about the unauthorized access that occurred 30 March, but those companies affected are promptly notifying customers. The list of 50 companies involved reads like a Who’s Who and includes seven of the Fortune 10: Target, Marriott International, Citigroup, Walgreen, Hilton Hotels, US Bancorp, Best Buy, Capital One, RitzCarlton Rewards, JPMorgan Chase, Kroger, and Capital One, to name a few. Security experts say this could prove to be one of, if not the, biggest data breach in US history. Although only names and e-mail addresses were obtained, security experts say customers are now vulnerable to spear phishing attempts. “Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher ‘hit rate’ than a typical ‘blind’ spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate,” noted SecurityWeek’s Mike Lennon.
(Reuters, 5 April 2011)(Reuters, 4 April 2011)(The Christian Science Monitor)(SecurityWeek)