Epsilon.com – Let the Phishing begin in 3 or more months

April 5, 2011

If your like me your getting an email from some one that tells you that their email data base with epsilon.com has been compromised. So far I have gotten emails from Usbank.com, chase.com, bestbuy.com and walgreens.com. Before this week I did not know the name epsilon, yet now I see it all over the news, and I am still getting emails.

I am not even sure why usbank.com still has my email as I left them because they refused to provide me a letter on USbank stationary for my merchant stating an account was mine, and the merchant is owned by the same company. Elavon (formerly Nova) told me to do what usbank.com refuse to do. The fastest thing they could do was to wait 2 – 3 weeks for some checks to come in for an account that I did not want debit cards or checks tied to (a deposit only account). What was even faster was to close my accounts and take all of the money to another bank that had no problem typing up a letter on company stationary saying and account was mine (50 minutes arguing and canceling my account with usbank, 10 minutes to drive to another bank and 20 minutes to open the account and get the letter). You would think after 2 years they would not have my email address. Nor would you think they would tell an ex-customer “As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.” Then walgreens.com got my email because I had them print some digital pictures. If anything I am bothered by the fact that Chase.com is one of the people effected by this epsilon.com. But then again, why would a bank trust your information with a third party such as epsilon.com?

But I think the real opportunity is being missed by Epsilon.com and every other company effected by this data theft, and that is to make phishing a more commonly known issue.

Chase.com contacts me about Epsilon.com

Chase does some what of an effort, but its almost as if they do not want to draw attention to the fact that of what those emails + names could be used for:

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.

We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.

As a reminder, we recommend that you:

Don’t give your Chase Online^SM User ID or password in e-mail.
Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
Don’t reply to e-mails asking you to send personal information.
Don’t use your e-mail address as a login ID or password.

The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.

Sincerely,
Patricia O. Baker
Senior Vice President
Chase Executive Office

Walgreens.com contacts me about Epsilon.com

Walgreens does a slightly better effort then Chase to inform what could happen with the information that was stolen

Dear Valued Customer,

On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon’s email system.

For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team

Epsilon only lost emails?

If you read all these emails, the only thing that sounds like that was taken was your email address. However Epsilon’s own site says:

IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset* of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3

Why is it that only Epsilon tells you and “The information that was obtained was limited to email addresses and/or customer names only.” Despite what the companies that use Epsilon say, more then email was taken, worst of all part of that data may be your name.

Epsilon.com only lost my email and name, so what? right?

If your like my mom, your going to think it was just your email, maybe even your name. But what can they do with that? After all thats what Epsilon.com tells the companies that use their service was compromised. But what they are not telling you is the value of those email address, and perhaps your name to someone that does not have your best interests at heart. This is one of those things that could come back later to haunt you. Its not like who ever stole your information will use it today, or even tomorrow. Maybe not next week, but perhaps months after you forget about this. Your going to get an email that tells you that there is a problem with your account. Please click here, enter in your name, address, social security number, who your third grade teacher was, the name of your pet, credit card numbers, bank numbers, and what ever else they can get from you to steal your identity. As a former hosting provider, I can not begin to explain how big of a problem phishing is. But I can tell you there just is not enough talk out there on prevention.

I get email all the time from companies that I have never done business with. But I do get emails that try to phish for my details from companies I do use. Lets take for example I play World of Warcraft. One pretty common piece of Phishing I have seen is I get an email telling me my account has been banned for x reason. Funny thing is last time I got one of these emails while I was playing the account when I got that notice. Got to love having a multi-monitor system where you can game and read email at the same time. The problem is the email came from China, and the domain that I am supposed to go to was recently purchased. So it was not Blizzard.com contacted me, or I would not been able to play. Another problem is they don’t know my name. Granted not everyone that got that email plays World of Warcraft, like my mom. While she knows that I play, she thinks for some bizarre reason Blizzard is going to contact her to tell her I have been banned. So she will of coarse forward me this phishing spam, then try to call me or chat to “help” me out.

I can’t tell me how much that worries me, because she thinks if things are on the web then they are true. I have yet to meet a doctor she has not tried to prove wrong because someones blog ran counter to her doctor’s years of training and experience. I have had the talk with her that she needs to avoid emails that tell her to click on links. Also that Blizzard.com does not know her, or that we are related. Also that thousands if not millions of people that do not play World of Warcraft got the same email. But what would help me is if the companies effected by data theft would tell her what could happen.

What Epsilon.com and every company thats emailing you should tell you about phishing

Here is what phishtank.com say phishing is: “Phishing is a fraudulent attempt to get you to provide personal information, including but not limited to, account information.”

Its not always by email, which is why I say it was a problem as webhost. Someone might buy a hosting account under one name, then later host a domain that is similar to whom they are trying to mimic. Like world of warcarft. Hence why I did random audits from time to time. I strongly encourage anyone that does not understand phishing to visit:

http://www.phishtank.com/what_is_phishing.php