|
There is a trend in vigilant disclosure by some companies and service providers. A reader wrote in with a great example of an email disclosure. U.S. Bank informed it's customers of a breach in a partners system. It went on to disclose that the partner system had been accessed by unauthorized users and that customer email addresses had been exposed. What stuck out for myself and other handlers that commented, was the way the disclosure was handled. U.S. Bank then clearly identified it's information disclosure policy. They followed on to inform customers that at no time was financial data disclosed and that only Epsilon's systems had been accessed. If you have had any disclosures from vendors please send them in to us. Packets are better but we take disclosures as well!
Below is the email that was relayed.
Update Thanks to all of those that sent in their notifications. On the list so far: Best Buy, Home Depot, Chase, U.S. Bank, Robert Half, Disney Destinations, Citibank, Hilton Honors. No doubt there will be more to come. -MH- UPDATE 2 Epsilon in their press release mentions that only email addresses and names have been compromised for approximately 2 percent of their clients. A quick calculation shows that is at least 50 organisations (over 2500 clients). So a few more of you may be getting notifications.
Richard Porter --- ISC Handler on Duty Can be reached: Twitter: packetalien Email: richard at isc dot sans dot edu
|
Richard 168 Posts ISC Handler Apr 3rd 2011 |
| Thread locked Subscribe |
Apr 3rd 2011 1 decade ago |
|
www.databreaches.net - search the home page for Epsilon
I got three disclosures this weekend alone because of the Epsilon breach, the same company US Bank used. First it was SilverPop last December, then Epsilon last week and there are some rumblings that the TripAdvisor email address breach, which I also got, may have been from a third company that hasn't disclosed yet. |
Anonymous |
| Quote |
Apr 3rd 2011 1 decade ago |
|
At last check (7:00PM CST, 4/3/11) this was the whole list for this breach. Lots of data compiled from krebsonsecurity.com, computerworld.com, securityweek.com, and the Cincinnati Business Courier.
Barclay Kroger Brookstone.com Walgreens U.S. Bank New York & Co. JP Morgan Chase McKinsey Quarterly TiVo Capital One City Market Fred Meyer Fry's Marriott Rewards Ritz Carlton Smith Brands Citi Home Shopping Network Dillons Jay C Food 4 Less King Snoopers QFC Ralphs Ameriprise Disney Destinations AbeBooks |
Anonymous |
| Quote |
Apr 4th 2011 1 decade ago |
|
I got a notification from Robert Half International, Inc. (rhi.com), as well as one from USBank. RHI is an employment agency.
I'll forward it in. |
Anonymous |
| Quote |
Apr 4th 2011 1 decade ago |
|
Also, I had opted out of marketing emails from USBank, yet I was still in their marketing database :(
|
Anonymous |
| Quote |
Apr 4th 2011 1 decade ago |
|
@BJ: It seems contradictory but they need to keep your email address in the database to know that you have opted out! Also, there are two kinds of opt-out: simple opt-out of marketing emails and full opt-out of all emails. With simple opt-out, they can override the opt-out for important news such as a product recall or data breach (as in this situation). With full opt-out, you will be placed on a "blacklist" that tells them never to send you emails under any circumstances. In both cases, however, they need to keep your email address on file so that they can do that check; if they remove it, they will not know that you have opted out.
|
patermann 35 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Citibank is opting to place it's notification on the login page. Could be better. Chase has theirs behind a link on the main page. I used my bookmark to the login page, logged in, checked the message area, and logged out without seeing a mention of it. You have to look for it.
|
G.Scott H. 48 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Would be nice to get Ben Wright's (instructor) opinion on the matter. Looks like some companies pulled the notification trigger quicker than others.
|
G.Scott H. 1 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
You can also add Best Buy Rewards Zone to the list.
|
G.Scott H. 2 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
@patermann, BJ
No they don't. that is the beauty of hashes. Like passwords, they can salt&hash your mailaddress, so they don't need to keep your info, but can still verify that you DO NOT want SPAM. Off course the spammers could do a bruteforce on it, but it would, at least, make their efforts more expensive and perhaps not worth it... |
nqe 3 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Just want to second nge's comment about hashes.
Hashes are your friend. Use them whenever possible. |
nqe 11 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
I received emails from Disney Destinations and US BANK, and also from Best Buy, which is not on the list above. The wording is pretty much the same in all three emails, very similar to the example above. The Best Buy had a link to geeksquad article on how not to get hacked, which I thought kind of ironic.
|
nqe 2 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
I am a former customer of a few of those places (no longer have credit cards, etc. on purpose). I wonder how many people with former accounts were in those databases and are not notified?
|
nqe 5 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
@patermann, BJ & nqe
If they use a true opt-in* system, all they need to do to do when you opt-out is to delete your email address. There is no reason to maintain a list of people who have opted-out. If you want to opt back in later, you can log onto their site and submit your email address for inclusion. * A system in which offers you a choice in-which the check mark is checked by default IS NOT opt-in! |
nqe 7 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Epsilon *had* (key word, past-tense) pulled the announcement of the data breach from their website earlier this morning. Between my registration and this post, they've apparently put the notice back up.
As an amusing aside, the error page that showed up in its absence dumped a .NET 2.0 stack trace right into my browser. Whoops. |
nqe 1 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Add Robert Half to the list. I used to consult through them, got an e-mail notification this AM.
|
Charles 2 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Got one from Hilton HHonors as well.
|
e.b. 17 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Now covered on Slashdot:
http://yro.slashdot.org/story/11/04/04/160214/Epsilon-Breach-Affects-JPMorgan-Chase-Capital-One |
e.b. 28 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
Add target.com, just got a notice about a half-hour ago.
Leg523 student, if you are current in Ben's class, you should be able to drop him an e-mail asking him a "scholarly question", but not "legal advise" as he advises in his materials. I'm taking that class as well in on demand, so it would be an interesting piece of feedback. Maybe I'll shoot him a note tonight. |
Alan 57 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
I have been notified by The College Board, Target, RHI, and Best Buy.
|
Tom 2 Posts |
| Quote |
Apr 4th 2011 1 decade ago |
|
@nqe: I take your point about hashes, although there is always the (admittedly very small) possibility of collisions.
@jwhitlow: One reason for a company to maintain a list of opted-out email addresses (rather than just deleting them) is for the situation where they have a "refer-a-friend" and/or "forward-to-a-friend" feature. (i.e. Do you have any friends who might like to receive this email? If so, enter their name and email address here...) If a "friend" (or enemy!) uses this feature and sends your email address to the company, the company can check the opted-out list and not send the email to you. If your email address has been deleted, you can find yourself back on the mailing list again because they will not know that you have opted out. |
patermann 35 Posts |
| Quote |
Apr 5th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
