Over the weekend there was a major security breach of Epsilon for customers of Best Buy, TiVo, Disney, US College Board, HSN, US Bank and the list continues to grow as more information is uncovered. While the information obtained is only names and email addresses, it is a very dangerous situation for consumers who are not tech savvy.
As a victim of this breach, you may receive spam that is specifically addressed to you by name, which may cause you to let down your guard. If you receive an email asking for any personal information at all, do not respond. If an email contains a link, do not click on it. There are criminals looking for your personal information. Reputable businesses (especially financial institutions) will not ask for personal information by email and are adopting a best practice of providing directions to navigate their web site. They are moving away from adding links to their emails.
A little background: Epsilon is an outsourced “email service provider”, which means they are responsible for maintaining a database of email addresses and names for their customers, and blasting out marketing materials. From what I understand, this is an opt-in only type of campaign. In other words, you must have subscribed to receive these types of emails.
I received a warning email from one of the companies whose database was compromised. The warning states that my “email address was exposed by an unauthorized entry into Epsilon’s computer system”. As I stated in my previous post, it is ultimately the business that you have a relationship with, and not the outsourced company that should be responsible to you.
Although this is a proactive approach, I am not pleased about the wording of the email to me. It basically passes blame to Epsilon. In my opinion, it is the responsibility of the business I am dealing with to protect my information, regardless of what their terms of service states. I don’t have any relationship with Epsilon, and cannot be expected to know how their business works. It is Best Buy, TiVo, Disney, US College Board, HSN, US Bank, etc. that owes me privacy.
If anyone out there receives the warning emails, don’t let the business of the hook. They owe you a better explanation than the legalise they have provided.
Readers: Has anyone received a notice? What steps do you take to minimize the risk of harm?
Update: Add Air Miles and Marriott to the list.