Sunday, April 3, 2011
Thefts of Promotional Email Databases enhance the success of Social Engineering Attacks?
Last Friday Epsilon a permission based email marketeer issued a press release which said” On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only”. The company sends over 40 billion emails annually and over 2500 clients. Several high profile clients have quickly informed their customers that they may be subject to social engineering attacks as a result of this breach.
What made the theft of this email database so precious was that customers opt-in for promotional emails from Epsilon’s customers and therefore a spoofed mail has a higher chance of being read and acted upon than unsolicited mail. Email spammers spend significant effort in harvesting and validating customer email addresses and hacking a verified source provides instant rich information. Such data could also be of use to competitors and sold on the black market.
Today, many companies outsource promotional activities such as mail and phone campaigns to small advertising agencies and firms. In order to run these campaigns they need to share subsets of their customer databases with these firms. Ensuring that these firms adequately protect customer data beyond contractual commitments is crucial as small firms may not be equipped to handle security threats, and are easy targets for hackers. Large companies in the banking, financial, telecom and retail sectors which use such agencies are particularly vulnerable. Small firm’s unlike Epsilon may not reveal that they lost customer data or perhaps even realize that they have been breached.
For customers like you and me, as always trust less and be watchful when personal information is asked for, even in solicited mails. You never know!