The End of Digital Innocence: What Does the Epsilon Breach Mean?

A Focused Attack

A hacker who has your email address, and your name, and the names of the businesses with whom you have relationships can launch truly insidious “spear phishing” attacks and, who knows, in a moment of acquisition ecstasy or carelessness you might just bite. In response to a very personalized email, people are much more likely to reveal truly personal information, or click on attachments far more venomous than the usual ham-handed and misspelled spam letters. Our whole lives are contained in our email files, as well as any confirmations of changes in our digital existence (and lest we forget, all password changes are confirmed back to our email). So when you innocently click on what appears to be an official memo, or email your BFF (or community thereof) to share the news about that great new car you just bought, voila!, you just provided another gateway to your digital soul, and handed a very clever and patient thief yet another piece of the puzzle they so lovingly cobble together in order to become you for their benefit. In the digital age, your email address, unique and personal to you, is as much of a unique identifier as your Social Security number. In fact, your email address may allow you to be financially “profiled” by very criminal minds.

“When one has tens of millions of email addresses and an effective spear-phishing strategy, even if only a low percentage of targets respond, we are still looking at millions of people who could unintentionally release their personal information to the wrong people, or unknowingly click on a malicious link that installs malware on their computer,” says Ondrej Krehel, information security officer at Credit.com’s sister company, Identity Theft 911. “Worse yet, these emails can be sent from all of their affiliations in the Epsilon database, perhaps on a weekly basis. The magical combination of customer emails and their affiliations with institutions gives hackers a more direct route for monetization.”

[Resource: Determine your exposure to identity theft with the free Identity Risk Score]

The Epsilon breach was the most high profile, yet not most potentially devastating, breach to happen in the last few weeks. In March, RSA Data, a provider of information security, risk and compliance solutions, also announced—rather grudgingly and in abstruse terms—a major security breach. Even now, no one knows the full extent of that breach. But a clearer picture is emerging of how it happened. An innocent (not terribly prescient) employee of RSA actually opened an attachment to an email with the subject line “2011 Recruitment Plan.xls” even though he found it in his junk mail file. The attachment contained a virus which enabled the hackers to probe him and others for a couple of days, using their email contacts and information to dig deeper and deeper into the mysterious world of RSA until ultimately they isolated the right high access players who were the gateway to a very discrete section of the RSA system.

I am not talking here about some guy sending annoying spam to folks at RSA for his amusement. It was an “advanced persistent threat” attack that targeted their SecurID two-factor authentication product. Relentless, patient hackers spear-phished RSA employees using sophisticated and clandestine means to gain continual, persistent intelligence, according to a recent blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.

There is a theory that this was a state-sponsored hacking by a foreign government. Another theory, too, is that it’s corporate espionage, in which globally divided superpowers compete for intellectual property.

Not About the “Quick Hit” Anymore

For years we have been telling people that unless you are talking credit card or account compromise, it is not about the quick hit. Now that affected institutions have taken Paul Revere’s ride through their customer base, it is not a slam dunk that millions of consumers will be instantly spear-phished.

Identities are currency. They are evergreen. Like fine wine they get better with age.

The trajectory of this crime is much more subtle. It will be done over time by very calculating and patient hackers adding one piece of the puzzle at a time. Over a period of months, even years, email will arrive from impostors posing as businesses representing all aspects of our lives. They will ask for a tad of information here and there, offer a link to an irresistible deal, call upon us to make an impulsive decision and provide some personal identifying information in return for a product or service we can’t live without. They will engage us, attempt to garner our trust, compromise our information or turn our computers into transmitters of account numbers and passwords.

With that firmly in mind, there are several things we must do: we must better secure our computers, be more skeptical and less forthcoming. We must read, think and evaluate the logic and value of the request and the reward before we click on any button other than “delete.”

So maybe Epsilon was aptly named. As it turns out, the company became entrenched in something out of a spy novel, and it certainly demonstrates “elasticity” of information, doesn’t it? Ronald Reagan wisely said in a different context “trust but verify.” He was talking about nuclear arms, but our subject can also be deadly—fiscally—on a grand scale. The sad truth is that in the digitally dominated 21st century, you can forget about the trust part. Verify and protect everything. Always. Vigilantly. The World Wide Web is not a court room, but you can easily be made an innocent victim without due process.