Epsilon E-Mail Hack: How You Can Protect Yourself
Hacking has long since ceased to be about juvenile fun and games, modern hackers are out to make money. Here's a look at how the bad guys use your information and how you can protect yourself.
Mon, April 11, 2011
CIO — Most of the time I only hear from my credit card companies when I owe them money or when they want to sell me a new service. That's changed; now I'm being bombarded with notes telling me that a company I never heard of has been successfully hacked and these still unknown bad guys now have my name and e-mail address — and maybe more.
If you've been paying any attention to the news lately, you know I'm talking about Epsilon, a huge outsourcer that sends e-mail of all kinds to customers of major financial services and retailers. Say you get an offer for a new card from Capital One, or for a special vacation deal from Marriott Rewards; that e-mail was actually sent by Epsilon. To do its job, Epsilon stores data about the customers of its customers — in other words, you and me.
A partial list of companies whose data was compromised (that's the polite term) includes JPMorgan Chase (JPM), Capital One (COF), Marriott Rewards, McKinsey Quarterly, US Bank, Citi (C), Ritz-Carlton Rewards, Brookstone, and Walgreens (WAG). Larry Ponemon, a security expert interviewed by the New York Times, estimates that thieves obtained the names or e-mail addresses of 100,000 customers at each of 50 clients. No doubt there's overlap in those lists, but that's still millions of people.
By and large you're hearing that you shouldn't panic if you get a note from one of your credit card providers saying they've been hacked. That's because Epsilon has stated that only e-mail addresses and names were stolen. By themselves, that's not enough information to obtain really sensitive information like the password to your checking account.
I won't question the truthfulness of Epsilon's disclosure, but I'm not entirely convinced of its accuracy. The really skilled hack is invisible to the victim. But let's assume that all that was stolen was what Epsilon said was stolen. There's still reason to be concerned.
Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911, calls e-mail addresses the "social security number of the digital age." By that he means that many Web sites use an e-mail address as the user name. If that's the case, the hackers are half way into your account simply by knowing your e-mail address. (Remember, they know you're a customer of say, Chase, because that information was stolen from Epsilon.)
It's important to note that hacking has long since ceased to be about juvenile fun and games. Modern hackers are generally out to make money, and often work as part of organized, international gangs. You can be sure that whoever stole that information is hoping to make a substantial profit.