By now, everyone has probably read about a company named Epsilon. In fact, most people likely have second hand involvement, receiving one or more emails from companies you do business with warning you to be very careful after a recent incident. Most of these companies have used a similar form letter explaining the concerns and that you should be “cautious of phishing e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information.” These notifications stem from Epsilon, a managed e-mail broadcasting company, getting compromised and having all of their customer e-mail addresses copied.
We have received a few emails from people asking us how we could have missed the Epsilon breach and why it isn’t on our site. Well, it actually is on the site as we do follow incidents such as this, however, it is listed as a Fringe incident. Why “Fringe”? From what we can tell so far, the breach (while unacceptable) is contained to Names and Email Addresses. We do recognize that this information may increase the risk to customers as targeted spearphishing attempts may be more successful, however, there is no loss of PII. We have debated this topic for years and instead of not including them in DataLossDB, they are now just labeled Fringe. There will be more debate on the severity of this incident for sure. Some think it is critical and others merely say that their email address was never meant to be private anyways. There are good arguments supporting both sides of the debate.
We will be continuing to add all of the affected organizations as we learn about them, and you can see the incident here: http://datalossdb.org/incidents/3540
When Epsilon posted the notice on their site they mentioned: “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”
As on April 4th, they have now have updated the definition of “subset” to mean “The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services.”
As of today, we are aware of a little over 40 companies affected and more notices are pouring in from users. As to how many users are impacted that is anyone’s guess. Our guess is A LOT.
If you want to read some of the notices we have received, over a dozen are on our mailing lists archives: http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html
For those that want to play along, we have decided to make some Epsilon Bingo Cards. If you are able to fill up a whole card and prove it with the notices we might have to give you a prize… that is the least we could do, right?
As always, please keep sending us any notices that we are missing so that we may better gauge the scope of this incident and update the cards.