Attackers Steal Major Retailers', Financial Firms' Customer Email Data

On the surface, the massive hack of email service provider Epsilon might seem relatively benign -- no credit card accounts, Social Security numbers, or source code were stolen, just millions of email addresses and, in some cases, full names. But security experts say the attack, which affects customers of major retailers and financial institutions, could reverberate for years to come with phishing, spamming, and targeted attacks against individuals and businesses.

Last Friday Epsilon revealed it had discovered on March 30 that some of its clients' customer information was exposed by a hack into its internal email system. "The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway," the company said in a statement on its website.

Since then, some of the biggest names in retail and banking have begun notifying their customers that their email information was exposed in the breach, and the list is staggering. At last count, there were some 38 companies and counting: 1-800-Flowers, AbeBooks (a division of Amazon), American Express, Ameriprise, AstraZeneca, Barclays Bank of Delaware, Benefit Cosmetics, Best Buy, Brookstone City Market, Capital One, Citi, The College Board, Dillons, Disney Destinations, Food 4 Less, Fred Meyer, Fry's, Hilton HHonors, Home Shopping Network, Jay C, JP Morgan Chase, King Soopers, Krogers, Lacoste, LL Bean VISA, Marriott Rewards, McKinsey Quarterly, New York & Company, QFC, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, Robert Half, Smith's, TiVo, US Bank, Verizon, and Walgreens, according to notices from some of these firms and industry sources.

More firms are expected to come forward as well. The emails and names of the victims stolen by the attackers ultimately have been, or will be, used to spam, phish, or socially engineer them for other more lucrative information, security experts say. In some cases, the customer email information included the customer's banking institution, giving the attackers even more detail to use in their spoofed messages.

"What's scary about this case in particular is that it's now easy to spoof Chase or Best Buy. If you gave your email to Best Buy, you're going to trust that the [phishing] email came from them," says HD Moore, CSO at Rapid7 and creator of Metasploit.

The stolen emails could be used for targeted attacks against corporations, using the stolen email account holders as a first step in an attack, he says. Aside from near-term phishing attacks, the email addresses could also be sold to spammers, Moore says.

What's unclear thus far is whether this latest attack is related to the attacks suffered by email marketing service providers Silverpop and ReturnPath late last year, when they were hacked and their clients' customer email databases, including McDonald's were exposed. At the time, Walgreens also announced its customer emails had been breached, but would not confirm whether the attack was via its email marketing provider.

But according to databreaches.net, Walgreens said the retailer had asked Epsilon to add more security after the late 2010 attacks that hit Silverpop as well. "Apparently, that expectation was not fully met," the spokesperson reportedly told databreaches.net, indicating that Epsilon may now be responding to a second attack.

Walgreens wouldn’t comment today beyond its official announcement: "Walgreens today announced Epsilon, a third-party vendor it uses to email promotional messages, reported an unauthorized access to its computer systems. Law enforcement authorities have been notified and are investigating the matter. Email addresses were the only information obtained in this incident."

Neil Schwartzman, a messaging industry consultant and executive director of The Coalition Against Unsolicited Commercial Email (CAUCE), who was formerly with email marketing services provider ReturnPath, notes that not all of these providers came forward publicly in the late 2010 breach. "We don't know the technical details of this breach," he says. "And we don't know if it's the same gang that hit back then or if they used the same method ... What is clear is that a significant portion of Epsilon's clients were compromised, including seven financial institutions."

The breach at Epsilon is big because it sets up phishers to conduct real-looking attacks that could ultimately also steal more sensitive and lucrative information. "What they have in hand is names, email addresses, and who people bank with. That sets things up perfectly for spearphishing attacks," Schwartzman says.

Such an attack could go like this, he says: "'Dear Neil, You know about our recent breach we wrote to you about. Please go to our database and confirm your [personal account] information. Signed, Visa.'

"This is a real problem," he says.

Dennis Dayman, a MAAWG Board member and chief privacy and deliverability officer at Eloqua, says an attacker could conceivably have emails from 10 different brands that a user normally would trust via email. "Now it has 10 different brands that could be used against you, to get information about you and your personal life," says Dayman, who says he sees the fallout lasting for two, five, or more years down the road.

What should consumers whose emails have been exposed do? Besides being wary of emails from these brands, you could take a more extreme measure and change your email address. "Change your email address. That's the only way you're going to be able [to protect yourself]," Schwartzman says. "It's incredibly depressing to have to say that."

Meanwhile, email service providers will continue to be a valuable target. Expect more attacks on these companies, experts say. "Their intellectual property is their email addresses," says Marcus Carey, community manager for Rapid7. That information then can be used to target corporate users and, in turn, their employers, he says.

And just how long attackers had possession of the emails and if they already had been using them in phishing emails is unclear, he says. "There was a window where some attackers could have been using that information," Carey says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.