Epsilon – Keep Calm and Carry On
There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways
- The company itself sells the email address (pretty rare, at least for reputable companies)
- An employee at the company takes the email addresses and sell them (rare, but it happens, especially as people leave the company and take email addresses they have access to with them – an Oracle sales rep did that for one of my email addresses, for example)
- The company subcontracts some part of their business – such as sending email – to a subcontractor and somebody there takes the addresses. (Not that common, but it can happen when a somewhat reputable company hires a semi-reputable marketer who hires a disreputable marketer who hires a spammer)
- The company leaves the list of email addresses somewhere public and someone stumbles across them (rare for reputable companies but sadly common for hobbyist websites and tiny companies whose main presence is online)
- Someone breaks in to a company using an automated tool that attempts “simple” compromises at thousands of websites, and stumbles across data they can sell almost by accident (hard to say, but probably fairly common)
- Someone targets a company and breaks into their computers specifically to steal addresses (probably quite rare, but a high profile incident when it does happen – as the current Epsilon coverage shows)
- The email addresses are, for some reason, left on a Windows desktop or laptop, and that laptop is infected by a virus or compromised in some other way, then sends the list of addresses out to the internet, intentionally or otherwise (very common, especially in the case where you have a particular sales rep at a company, so their have your email address in their mail clients address book). Email addresses will leak from your friends infected machines in just the same way
- … and lots of other ways
6. So why is this the first time I’m hearing about it?
I’m not really sure. The recent Epsilon leak was pretty big, and their customers have been fairly good about notifying people about it. That’s probably because there’s been a move in the past few years to thinking that people should be notified in such a case, and some law (at least in California) that requires it. Because of the size of the leak and the widespread notification, this particular incident has made it into social media, blogs, facebook, twitter and finally the mainstream media.
7. What bad things will happen to me?
Not many. Maybe none.
If you’ve not received any spam at all to your email address in the past then you might start receiving some now. You’d probably have started receiving spam sooner or later anyway, as email addresses leak all the time – from individuals and ISPs as well as vendors, marketers and ESPs.
If you’re already receiving spam, you might start getting a little more. Though likely not so much more that you’ll notice. The spammer ecosystem already has your email address, and they’re already sending you spam – if a few more spammers get your address from a new source you may get a little more.
It’s possible you’ll see some additional attempts to “phish” information such as passwords and account access from you. And those may be a little better targeted and better done as someone has a list of companies you’re expecting to receive email from. You should already be wary of phishing attempts, though, as you’re likely being targeted already – whether your data was stolen this time around or not.
If you’re suspicious about an email, or there’s a link in it that goes to a page where you’re going to have to enter a password or any other account information – don’t click on the link. Either go to a bookmarked page or type the link into your browsers address bar instead.
That’s about it.
8. OK, what good things will happen to me?
Not many. You’re hopefully a little more aware of phishing now than you were, and you’ve got a better idea of what companies do with your email address.
9. What should I do?
The world is not going to end. Bad guys aren’t going to take control of your life.
You should pay attention to companies who’ve notified you that they’ve had information stolen, and be somewhat more wary of email that claims to be from them over the next few months. You might want to change the email address you have on file with those companies, and then be very wary of any email claiming to come from them that goes to the old email address.
But remember that just because a company hasn’t notified you, it doesn’t mean that they’ve not had your email address stolen anyway, either in this incident or another one, so be wary of any email that’s asking you for account information, or directing you to a webpage where you need to log in or provide account information. Brian Krebs has some good advice about avoiding email scams and phishing – none of which is new advice, it’s just good advice that’s being repeated in response to the media mentions of the Epsilon leak.
You might want to use more than one email address – use one to deal with just your bank, for example, so that you know anything claiming to be from your bank to any other email address is probably someone trying to scam you.
10. What shouldn’t I do?
Don’t stop using email, personally or with companies. While I said above that email addresses get leaked all the time (and they do) only a small fraction do. For every email address I’ve given a company that’s leaked there have been a hundred that haven’t. Just don’t be too trusting of people sending you mail, and trust your instincts about it.
And don’t pay too much attention to anyone who is using this particular incident to promote their own product or to push you into major changes in behavior. Security companies and bloggers love loud, scary headlines as they tend to lead to more linking and traffic in a way that more sober, accurate reporting doesn’t.
You were at risk for phishing and spam a year ago, and you’re still at risk today. Nothing much has changed. Keep being wary of email borne scams and phishing, but keep calm and carry on.