Apr 12

Phishermans Friend

I get an email from McKinsey. “Someone you have never heard of has lost your data.”

I was not alone. Epsilon, a marketing services company that sends 40 billion e-mails a year has been hacked. An estimated 2% of its customer date has been “exposed”. As with the recent major leak at RSA, Epsilon has not disclosed any details of the breech. The full impact of the breech is well explained in the Economist.

The emails being sent by major companies including JPMorgan Chase, Target, McKinsey and Marks & Spencer are all in the same format:

“We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information…We want to urge you to be cautious when opening links or attachments from unknown third parties.”

Well the files stolen DID contain some other valuable information – the trusted relationship between me and the company. The phishing emails won’t appear to come from ‘unknown third parties’ – they will look as if they have come from the company which I know, and have trusted until now.

Phishing emails are always obvious from:

  • They contain basic spelling errors.
  • They never address you personally.
  • They come from a company where you don’t have an account.

Combined with a spell checker, the spear phishers behind the Epsilon leak can give the crime a quantum leap.

Here are the questions to ask any company that has been using Epsilon to email you:

I am sorry that your email of n April provided so little information about the data breach. The wording, which appears to be the same boilerplate sent by other customers of Epsilon, contains some significant omissions:
  • “the only information that was obtained was your first name, last name and e-mail address” – did it not contain more?: the trusted relationship with you? my home address? my email preferences?
  • “We want to urge you to be cautious when opening links or attachments from unknown third parties.” Any spear phishing emails using this lost information will not “come” from an unknown third party.
  • ” We take your privacy very seriously, and we will continue to work diligently to protect your personal information.”. What diligent work had been undertaken before the breech to audit the security at Epsilon?
To McKinseys credit they responded within hours:
Dear Nic

Below is another boiler plate for you as I’ve had to answer this a lot. Incidentally, I looked up your account under nic@nicevans.eu, and you are just a free member so we only have your email, name, company and title – not your address. Epsilon assures us that ONLY name and email were taken. Please read on for further info.

McKinsey Quarterly deeply regrets this unfortunate circumstance.  We take your privacy concerns very seriously, and we felt it was important to inform our users as soon as the facts became available to us.

As you may have seen since McKinsey Quarterly’s message to its users, McKinsey Quarterly was one of many Epsilon clients whose data was compromised.  Many of our users have noted that they subsequently received breach notifications from credit card companies, reward programs, online services, retailers, etc.  Epsilon is one of the largest email service providers, and, unfortunately, many have been affected.
For all affected companies and end users, Epsilon has publicly stated that the breach was “limited to email addresses and/or customer names only.”  Following our message to users, Epsilon has provided further assurances to McKinsey Quarterly, specifically: “All data extracted from the platform is logged and the only data extracted/downloaded to a file was email, first name and last name.”  Additionally, “the attacker was only logged into the system for a short period of time based on application logs… which would not have allowed the user to manually review (rather than download) a single record at a time.”

McKinsey Quarterly does not store sensitive personal information (such as account passwords, financial information, or other personal identity details) with Epsilon.  We urge our users never to respond to emails requesting sensitive information and to be cautious when opening links or attachments from unknown third parties.

Epsilon has detailed for McKinsey Quarterly security measures put into place since the breach, and they are working with appropriate legal authorities in an ongoing investigation.  McKinsey Quarterly is separately undertaking its own review of Epsilon and email service providers, in general, and we can assure our readers that we will endeavor to ensure the highest security of our users’ information.

Again, McKinsey Quarterly deeply regrets the inconvenience to our valued readers. Thank you for your continued patience, understanding and readership.

Sincerely Yours,

Rik Kirkland
Senior Managing Editor,
McKinsey & Company

Permanent link to this article: http://transformingfinance.eu/phishermans-friend/