There has been a lot of online venting and hand-wringing in the week since customers of email services provider Epsilon began informing millions of individuals in North America and Europe that their name and e-mail address had been stolen in a massive data breach. In the week since the breach, there have been emphatic warnings about the potential for phishing attacks against the customers of Epsilon clients like Citi, Mariott, MoneyGram and Dell. But does the theft of names and e-mail addresses constitute a major breach of personal privacy that consumers should be concerned about? I believe it does.
One useful thought-exercise is to imagine the criminals who make it their goal to learn information about people and exploit it to their advantage. Then, look at those who broke into the databases of one of the largest email marketing firms in the country to take as many customer data sets as possible and posit what they are going to do with what they have acquired. Why just sell the lists? That’s easy money. Email addresses can give them the information they need to perform some highly-targeted spear-phishing schemes.
It’s a common mistake to think that email is not considered PII – or “personally identifiable information.”
A few days ago, Brian Martin of the Open Security Foundation, noted that because the Epsilon breach involved ‘just e-mail addresses,’ that people don’t seem to care about the details of the incident like they do for RSA or A breach involving more sensitive kinds of PII.
But David Stampley, a partner at KamberLaw, LLC, has observed that email has indeed been incorporated into the category of PII, with court and FTC rulings going back almost a decade as proof.
Changes in the way we interact online make knowledge of your e-mail address more valuable than ever. Like many of you, I’ve spent the last 13 years building a professional network. And, like you, these days I rely on that network for all kinds of things: expanding my professional connections, tapping subject experts and, of course, helping friends and acquaintances get their resumes on the desks of hiring managers. One thing I’ve discovered in the process is that you can find out quite a lot about a person from “just” their email address.
What might the criminals who broke into Epsilon do with the email lists they have?
The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors of victim firms. According to the latest data from databreaches.net, totals are up to 57 customers including credit card providers with branded cards – Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts.
Second easiest? The Epsilon hackers might use the lists of addresses they stole for traditional, blind phishing schemes. The sheer volume of the Epsilon breach means that the amount of information that could be gathered just based on a massive phishing scheme could translate into substantial returns.
But what about the tech-savvy and phishing-aware consumers? The criminals don’t need to come to you – and if they do, they will be very smart and targeted about it. They will do their homework.
Email addresses are often in predictable formats these days (especially work addresses) – usually enough to give away a first and last name or first initial and last name and a domain. In many cases that is all that is needed to determine who a person is and possibly where they live or where they work. It could give them either the target’s personal email ISP domain (possible regional location) or, worse, domain for the company the target works for.
The next step would be to take a methodological approach to determine the most high-value targets – compare the domain part of the email against companies in the Fortune 500 and their executives.
With that smaller list, a good social engineer can use Google to hit up a number of sites on the Web from professional networking sites like LinkedIn (Linkedin.com) as well as professional information aggregators like MyLife.com, Pipl.com, and PeekYou.com to gather details on an individual.
Then comes social engineering: the criminals might call up a company office or headquarters and ask to be connected to their target. If they are transferred, they now have a confirmed, viable target to begin plotting a carefully-planned spear-phishing scheme. If the target is no longer there, they simply move onto the next name on the list.
If they score a hit, e-mail messages sent to the target claiming to be from friends or business acquaintances can put key loggers, Trojan horse programs or other malware on their work computer. Alternatively, a home address might yield personal computers protected by less robust broadband or home wi-fi routers.
Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks.
With millions of consumers swept up in the Epsilon breach, including many of you readers, the question is: ‘What can I do?’ Here are my suggestions:
- Be vigilant, aware and watchful of someone trying to use information you may not realize is out there to take advantage of your role within your company.
- Also consider changing your account passwords on any service that utilizes your email address as a login credential when learning your email as been compromised.
- Remember – security awareness thwarts social engineering.
- Consider reporting suspected phishing emails – Gmail and other services let you automatically report phishing attempts and according to the databreaches.net post, you can report to the Secret Service by emailing email@example.com or the Federal Internet Crime Complaint Center (IC3) as well.
B.K. DeLong is an independent security analyst based in Boston.