DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Epsilon a Victim of Spear-Phishing Attack, Says Report (update/correction)

Posted on April 7, 2011 by Dissent

Jaikumar Vijayan follows up on the news story by iTnews, mentioned earlier today, which reported that the Epsilon attack was a spear-phishing attack that resulted in the downloading of malware. Jai makes a point of noting, however, that there’s no proof or confirmation yet from Epsilon that this was a spear-phishing attack. As I commented earlier today, although iTnews claimed that it was “revealing” the type of breach and I suspect Neil Schwartzman of CAUCE is quite correct in his opinion on this, there’s not yet any confirmation that this is what happened this time.

Jai reports:

It’s not clear whether anyone at Epsilon, or Silverpop saw the alert, or how they may have responded if they did.

Neither email service provider responded to a Computerworld request for comment today.

According to ITNews, the breaches at Silverpop and Epsilon in the weeks that followed were caused by spear these phishing attacks.

Read more on CIO.

Could Epsilon have known about this type of attack to proactively prevent it? Absolutely.

Should they have known about it in November when it was reported by Return Path and Brian Krebs of KrebsonSecurity.com? Absolutely.

Did they know back then? They haven’t said.

What did they do if they did know back then? They haven’t said.

And that’s why we need a Congressional or legal inquiry into this breach. And we need to get other ESPs under oath to answer the question of whether they, too, were breached back in November or more recently.

Updated: As Neil Schwartzman noted in a comment under another blog entry, he didn’t claim that the Epsilon breach was due to this type of attack. According to Neil, “They used 4-month old quotes to draw a causal link. This could just as easily be copycats exploiting another vector. We simply don’t know.”

iTnews got ahead of the story, it seems.

Category: Breach IncidentsCommentaries and Analyses

Post navigation

← UK: Godalming College email gaffe exposes students medical details
Pointer: Data breach law in Ireland – the current state of play →

2 thoughts on “Epsilon a Victim of Spear-Phishing Attack, Says Report (update/correction)”

  1. Jonathon says:
    April 7, 2011 at 5:56 pm

    Certified Email was supposed to be the only method that ESP’s, marketers, ISP’s and subscribers could collectively use to insure the integrity of the email supply chain. ESP’s taking short cuts on passwords and security protocols of who has access to what data, marketers pushing the envelope as permission based spammers, and ISP’s that don’t subscribe to a single central standard of email authenticy….all put the email channel at risk. Return Path isn’t the answer either, because hackers can circumvent how they authenticate email.

    So…with the ESP’s and ISP’s not supporting Goodmail’s Certified Email and Goodmail finally folding their doors in February, why hasn’t our US Government and Sir Julias picked up the intellectual property of Goodmail and made it a part of the Federal Governments Digital Infrastucture?

    If they put it inside the USPS, there would be a single honest broker who can sit between ESP’s and ISP’s to insure the integrity of what’s coming through the system.

    To hell with the non-profits who say they can’t afford certified and trusted email. They can’t afford not to, and I would bet that World Vision and others are on this Epsilon list.

    Charge $1.00 CPM for all email sent, and the spam issue goes away IMMEDIATELY. As we shift from mindless consumption to mindful consumption in this booming economy, it’s incumbent upon the smarter people in the room to assess the risks of not adhering to a single email standard…and then do something about it. ESP’s that get paid on volume will continue these practices. The only way to make more money is to send more email. A revenue model that is based on performance would be much more impactful, and appreciated by marketers and consumers alike. Question is…who’s going to lead on this issue?

    The only way this will happen is if Obama and Julius decree that email communications are an integral part of our national security, and that the use of the CertiedEmail encyprted tokens…is the answer.

    Perhaps Gmail, Hotmail, Yahoo and others would then stop pushing proprietary protocols for spam detection and email receipt…and just live with a single standard.

    I can appreciate the ISP’s being pissed about email, because they don’t get paid to deliver it. Think about 40Billion emails at $1.00 CPM on average, and you have $40,000,000 in revenue for Epsilon, and the ISP’s don’t get a DIME. Think about Experian sending 80 Billion messages a year at the same rate, and the ISP’s don’t get a dime.

    If the ESP’s and ISP’s don’t agree on a single standard, people are going to keep tuning out of email, and marketers are going to have to resort to print and postage…once again. Because….our government demands it (prospectuses, changes in privacy notices, etc….).

    Fun times!

    1. admin says:
      April 7, 2011 at 6:27 pm

      Thank you for your thought-provoking comments. Clearly there’s a lot to discuss after this total cockup.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Credit Control Corporation data allegedly from 9.1 million consumers listed for sale on forum
  • Copilot AI Bug Could Leak Sensitive Data via Email Prompts
  • FTC Provides Guidance on Updated Safeguards Rule
  • Sentara Health terminates remote employees after realizing they couldn’t be sure who was doing the work.
  • Hackers Break Into Car Sharing App, 8.4 Million Users Affected
  • Cyberattack pushes German napkin company into insolvency
  • WMATA Train Operators Arrested in Health Care Fraud Scheme
  • Washington Post investigating cyberattack on journalists, WSJ reports
  • Resource: State Data Breach Notification Laws – June 2025
  • WestJet investigates cyberattack disrupting internal systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
  • Anne Wojcicki Wins Bidding for 23andMe
  • Would you — or wouldn’t you?
  • New York passes a bill to prevent AI-fueled disasters
  • Synthetic Data and the Illusion of Privacy: Legal Risks of Using De-Identified AI Training Sets
  • States sue to block the sale of genetic data collected by DNA testing company 23andMe

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.