Millions of consumers were surprised by email messages in their inboxes this month alerting them to one of the most widespread online security breaches in recent history.
As many as 50 major companies revealed that their customer email lists had been compromised after a cyber-attack on a shared technology vendor, Epsilon. According to news reports and company statements, an unknown person or group gained access to the Dallas technology company's database, allowing them to obtain subscribers' names, email addresses and business relationships.
Credit card company actions
Credit card issuers and retailers issued some of the first warnings to their customers, assuring them that account details beyond name and email address had not been shared with Epsilon. Based on the nature of the security breach, companies noted, the culprits did not gain enough information to directly access customer accounts. However, according to data security specialists, criminals could use banks' customer lists and message histories to create realistic-looking messages that contain balance transfer offers or instant approval applications.
Identity theft risk
Data security specialists advised consumers to follow four tips for avoiding identity theft after a security leak of this nature:
- Visit credit card websites directly, instead of following emailed links. Many of the best credit card companies have already adopted this practice, eliminating the chance that mail forgers could trick cardholders into visiting false versions of their websites.
- Use email aliases to track the source of incoming messages from banks or credit card companies. MobileMe, GMail, and other email providers allow users to create special email addresses for single purposes. Subscribers can change or delete compromised email addresses without affecting core email accounts.
- Manage credit card accounts on secure websites or by phone, never by email. Although convenient, email lacks the security to protect personal banking and credit information from prying eyes.
- Use distinct passwords for each credit card website and email account. Some security experts expressed concerns that criminals might use Epsilon's lists to guess passwords shared across multiple sites. Tools like LastPass and 1Password can randomize passwords while helping consumers track secure logins across multiple websites.
Because many large companies rely on third-party email services to deliver customer messages, security professionals cautioned that the Epsilon breach underscores the need to remain vigilant for spam and phishing attacks based on compromised mailing lists.