Epsilon e-mail data breach has knock-on effect for several brands

The incident is one of a growing list of data breaches at US companies, according to reports, including Best Buy, TiVo and Walgreen.

Epsilon says in a statement that a full investigation is underway after the discovery of the breach of some customer client data.

The company says the stolen data is limited to e-mail addresses and/or customer names, and that no other identifiable personal information associated with the names is at risk.

The fact that only names and e-mail addresses were spilled is moderately comforting, but of greater concern is the knock-on effect of this data breach, says Paul Ducklin, head of technology for security firm Sophos in the Asia Pacific region.

Epsilon is a cloud provider of electronic direct marketing services, so a security breach of the Epsilon system is a breach of all its customers' systems, too, he says in a blog post.

Customers urged to be cautious

McKinsey Quarterly, AbeBooks, Lacoste, Marriott Rewards and JP Morgan Chase are among Epsilon's customers and have issued warnings to their customers.

"We have been assured by Epsilon that the only information obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information," McKinsey told customers.

The firm says it is working to confirm Epsilon's claims, but assures customers that no credit card numbers, social security numbers, or other personally identifiable information of users is at risk.

"Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties," the alert said.

McKinsey also warned customers that it would not send e-mails asking for credit card numbers, social security numbers or other personally identifiable information.

"If you are ever asked for this information, you can be confident it is not from McKinsey," the alert said.

Cloud computing security doubts

For customers of these organisations, says Ducklin, losing their e-mail address via a service to which they already belong makes it much easier for scammers to hit with e-mails that match their existing interests, which can make their fraudulent correspondence seem more believable.

This latest breach, he says, also casts doubt on the mantra of cloud computing evangelists that cloud-sourcing high-volume internet services is certain to save money, improve up-time and boost security.

Cloud computing service providers are bound to have experts on the job who are at least as switched on about security as its customers, evangelists argue, but says Ducklin, sometimes, keeping in-house skills and abilities factored in to an organisation's security equation can pay off, especially as a growing number of experts, including MySQL and Sun, RSA, Comodo and Facebook, have recently shown that they do not know everything about security.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?