“Advice” after the Epsilon breach

Should I feel left out? I didn’t receive an apology letter from my bank, broker or grocery store this week. In case you are wondering what they should be apologizing about – besides the weak dollar or the price of tomatoes — the online marketer Epsilon was breached this week by hackers, and reports say that millions of US customers’ email addresses and names were exposed (as well as the name “Epsilon” which was previously unknown to most consumers). According to Reuters, Epsilon provides online marketing services for some of the biggest names in the business, including Target, Marriott, Citigroup, Walgreen, US Bancorp, Capital One, Best Buy, and Kroger, the country’s largest grocery store chain. So dozens of leading US companies have been put in the embarrassing position of informing their customers that their information may have been compromised (in the image below: a collection of our favorites from Chase, HSN, Hilton and Robert Half).  

First of all, kudos to the companies that rushed to inform their customers. Any crisis management expert will confirm that calm, informative communication is key to containing the issue, and to retaining and rebuilding customer confidence.

And beyond that, I didn’t know whether to laugh or applaud at the advice I’ve seen included in some of the apology letters. Truth be told, this is advice they should be sending their customers regularly anyway, regardless of any breach. Some of the common sense recommendations I’ve seen in letters from companies that were compromised –my response to most of these is “well, duh”:

  • We want to urge you to be cautious when opening links or attachments from unknown third parties.
  • We ask that you remain alert to any unusual or suspicious emails.
  • Don’t give your [bank name] User ID or password in e-mail.
  • Don’t reply to e-mails asking you to send personal information.
  • Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
  • Don’t open links or attachments from people you don’t know and trust.
  • If you receive an email appearing to come from us that does ask you for sensitive information, do not respond, click on any links, or download any attachments. Instead, please inform us immediately at the toll-free number or email address provided below.

This last one is pretty funny, since if it’s from a phisher, the phone number will lead the user right back to the phisher; so I would have recommended that they write “…please inform us immediately by calling us at the toll-free number available on our web site,” since in that way the caller has the control over finding the phone number. (Of course if the web site has been compromised and the number changed to reach a phisher, then you’re completely screwed… but chances of this are slimmer than the email being from a phisher)

The important point here is that users should never click links within email messages; if you need to visit your bank site, you should simply type in the known URL into the address bar on their browser. And hopefully, if your computer hasn’t already been compromised by a Trojan that has hijacked your session, you will actually be directed to the bank site itself.

And you should be extremely careful not to make typos when typing the bank’s URL, since phishers are known to purchase domains that are very similar to bank names, with common typos, so you may end up visiting a site that appears to be your bank site, but actually belongs to a criminal who wants to steal your credentials.

The funniest comment from one of the apology letters had to be: “Please note, it is possible you may receive spam email messages as a result.” Uh, wasn’t the world being inundated with spam anyway?

Of course if you’re using a good spam filter you won’t notice the increase. At Commtouch our spam analysts will be watching to see if global spam takes an uptick as a result of this breach – my guess, yes, spam will increase (doesn’t it always? Well, except when a major botnet is taken down…), but mostly I would expect there to be an uptick in targeted attacks, a.k.a. spearphishing.