Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy Your Rights Online

Epsilon Breach Used Four-month-old Attack 48

schliz writes "Marketing giant Epsilon knew that it was vulnerable to an attack for 'some months' before suffering a high-profile breach last week. According to Epsilon's technology partner ReturnPath, the breach was part of a series of socially engineered attacks discovered in November."
This discussion has been archived. No new comments can be posted.

Epsilon Breach Used Four-month-old Attack

Comments Filter:
  • Stupid (Score:5, Insightful)

    by The Grim Reefer2 ( 1195989 ) on Thursday April 07, 2011 @09:15AM (#35744346)

    Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

    • Re:Stupid (Score:5, Funny)

      by fuzzyfuzzyfungus ( 1223518 ) on Thursday April 07, 2011 @09:18AM (#35744390) Journal
      Arguably, their management team should be given a life-sentence of manually deleting penis-pill spam using the 'Incredimail' [incredimail-corp.com] client on a virus-riddled WinME box with inadequate RAM and AOL dialup.

      The rest of the company can be sold for scrap, and their mailing lists tossed into the nearest smelter.
    • by Toe, The ( 545098 ) on Thursday April 07, 2011 @09:35AM (#35744622)

      The letters from Chase and Citi, both say effectively: "your data was stolen, here's what you should do to protect your data." They then go into a litany of minor data hygiene practices, failing to point out they themselves did not vet their vendor's security practices. There is no claim of culpability for bad security policy nor any indication that they will try to do better in the future. In other words, no reason why you should trust them with your data (and this response is sadly commonplace).

      • by mlts ( 1038732 ) *

        I'm sure none of their minor data hygiene practices have stuff that really matters too:

        If one has Chase, Citi, or a bank that is affected, change the E-mail address to one, preferably something just opened on a non-free domain, like me.com. This way, if the bank does send an official notification, it definitely will be correct, while the phishers will continue to send to the last address.

        Well, this is until someone gets haxxored again and the new E-mail address gets compromised. I doubt there will be more

        • by sjames ( 1099 )

          Oh, they'll put plenty of effort into making sure news of any future breaches stays quiet.

    • Why not have law enforcement work harder on these crimes than drug enforcement?

      • You can have much more fun parties with confiscated drugs than you can with confiscated emails lists. Seriously, when was the last time you heard anyone say, "Cops always have the best lists of spamable email addresses!"
    • Re:Stupid (Score:5, Interesting)

      by WrongSizeGlass ( 838941 ) on Thursday April 07, 2011 @10:13AM (#35745150)

      Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

      I'm guessing that there aren't more laws because legislators don't know shit about data & security so when they try to enact laws about these things they miss the mark by being too lax, too broadly defined or they just don't get it at all. Massachusetts seems to get it [wikipedia.org] and recently handed down their first penalties [slashdot.org].

  • Proving once again (Score:5, Insightful)

    by jayhawk88 ( 160512 ) <jayhawk88@gmail.com> on Thursday April 07, 2011 @09:23AM (#35744448)

    That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

    Your users are children. Treat them as such.

    • I wish I had a mod point left.
    • by gstoddart ( 321705 ) on Thursday April 07, 2011 @09:56AM (#35744882) Homepage

      That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

      And, since they're storing other people's data (some of mine for example) they have a responsibility to make sure they're actually taking steps to protect it.

      So, I say don't treat them like children ... I say treat them like adults who are expected to know better, and make sure they have consequences, because they've been entrusted with this stuff. Don't coddle them and say "mustn't touch", this is serious stuff.

      I must say, I'm somewhat annoyed at the companies I dealt with who farmed out this stuff. But I figure if your industry is doing this stuff, you should be held to a standard similar to my banking information ... if you lose track of it, or allow a breach, there should be significant (and increasing) fines for something like this.

      There are now several companies I have a business relationship from whom I will have to largely distrust emails until I can bypass any links in the email and verify ... some of these companies have had over $10K in business from me in the last year. They're going to have to work awful hard to repair my trust.

    • Your users are children. Treat them as such.

      This is why IT guys are so universally loved and respected.

      • You know what though? It's time to stop letting user get a free pass with crap like this. They've been told. Don't follow unknown links you get in emails. Don't reply to emails asking for sensitive information. Don't give the dude who cold-called you your password. But they still keep doing this crap.

        If someone calls me up out of the blue and wants to know the schedules for building security, and the locations of all the security camera's, and I give it to them, I'm responsible. If someone backs a truck up

  • Vulnerable (Score:5, Funny)

    by haystor ( 102186 ) on Thursday April 07, 2011 @09:34AM (#35744598)

    Epsilon has always been vulnerable to attack by some smaller value of x.

  • by Anonymous Coward
    Are YOU afraid of a baby?
  • Every day since this story broke, I get yet another apology letter or two from another major company.
  • Employee clicks a phishing link in an email - that site is not filtered by their firewall
    The site requests and the employee allows downloads of executables - improper employee training and exes not filtered by firewall
    Employee allows exes to run - no exe blocking installed in the employee's PC
    Uploads of clear email lists - stored lists should be encrypted, and also no firewall monitoring/blocking of file transfers
  • Which engineering schools are now offering degrees in Social Engineering? Can I go back to school and get my MSSE?
    • by Tolvor ( 579446 )

      Actually, there is a couple of degrees for that...

      One is majoring in Political Science ("I do not do this for me, nor for my community, but because it the right thing to do for our CHILDREN.")

      The other is getting a degree in law (any specialty) ("Is it true that you still beat your wife?")

  • I work for... (Score:5, Interesting)

    by holmedog ( 1130941 ) on Thursday April 07, 2011 @11:22AM (#35745998)
    A direct competitor for Epsilon and I can say that everyone in our business (Epsilon included) has security measures in place to stop these kinds of things. Problem is, everyone at these types of companies are people. We might have millions invested in keeping data safe, but when you pay someone $10/hr to flip tapes in the data warehouse, you're still taking a risk that person might be doing something stupid in the interim. The simple fact is, data warehousing happens because it is cost efficient for companies to pay us to do it. That cost savings is seen by the consumer in the rates being knocked down for services. Why do you think you can get insurance so cheap? (well, here goes my karma...)

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...