It’s been quite an active week in the security arena, and I’ve been following the Epsilon data breach story with interest (despite being locked in a windowless conference room, for 2 days of meetings). Clearly, there’s been a lot of focus (and rightly so), on the millions of email addresses compromised from many major companies’ marketing lists managed by Epsilon.
Like most people I’ve spoken with, I’ve already received several notifications from companies with whom I do business that my email address has likely been leaked, as a result of “unauthorized entry into Epsilon’s email system”.
There are still many unknowns about this, including the extent of the data lost, and the method of access. These are all legitimate questions, for which we deserve answers. As someone who’s email address as been stolen, and as a vendor in the security space, I’m doubly interested.
In addition to the open questions about specifically what data was lost, from a security perspective (and from the perspective of wanting to prevent future reoccurrences), it’s very important for us to get clarity on exactly how this data was accessed.
Was this a hacker attack, exploiting a security hole, or did this somehow involve abuse of improper access, perhaps from an employee or business partner? Or, as is increasingly common, was it a blend of these?
While simply obtaining email addresses might only be considered a minor annoyance, the fact that these were exposed with the associated context of the business relationship significantly increases the risk of successful phishing attacks. With so many millions of email addresses exposed, even a low-percentage attack will bear fruit.
And, as the recent RSA attack demonstrates (a topic I’ll discuss in my next blog entry), this kind of targeted phishing can serve as an entry point for a very damaging attack.
I look forward to learning more about this attack, and discussing the implications here.