You’ve been told time and again to be careful about who you give your email address to, and to NOT give any personal information to businesses you don’t know or trust (ref: Spear Phishing with Unsecure Databases). But what about the BIG guys you do trust?
This Monday morning I awoke to dark skies, rain falling the day wasn’t looking too good. My Blackberry woke up a few seconds after me, beeping with my special urgent email tone alert. Its an email from Best Buy, adding joy to my wonderful Monday morning. While opening that email, I get another one from a financial institution I deal with. They both said the same thing:
Recently, we were notified of a system breach at Epsilon, a third-party vendor that provides marketing services to a number of companies, including us. The information obtained was limited to customer name and email addresses of some credit card customers. No account information or other information was compromised.
While checking on the Web for more details about the story, I sadly discover a third company I do business with, showing the same kind of warning on their website. Here’s a list of the affected sites I compiled from various articles I found on the web. Most of them warned their customers directly, but others just put a warning on their website:
- 1-800 Flowers
- Abe Books
- Air Miles
- American Express
- Ameriprise Financial
- Barclays Bank of Delaware
- Beachbody
- Benefit Cosmetic
- BestBuy
- Borders
- Brookstone
- Capital One
- Citigroup (provides credit cards for Home Depot, Staples, CAA and more)
- City Market
- CollegeBoard
- Dillons
- Disney Vacations
- Eddie Bauer
- Eileen Fisher
- Ethan Allen
- Food 4 Less
- Fred Meyer
- Frys Electronics
- Hilton Hotels Honors
- The Home Shopping Network (HSN)
- Jay C
- JP Morgan Chase
- King Soopers
- Kroger
- Lacoste
- LL Bean
- Marriott Rewards
- McKinsey Quarterly
- Moneygram
- New York & Co.
- QFC
- Ralphs
- Red Roof Inn
- Ritz Carlton
- Robert Half
- Smith Brands
- Target
- TD Ameritrade
- TiVo
- US Bank
- Verizon
- Visa
- Walgreens
There are some well-known names in there – who doesn’t do business with at least one of them? And what does it mean for the end-user?
Consider that Citi provides credit cards for a number of popular stores – Home Depot, for example. From the stolen data, a scammer can see that you’re a Home Depot customer, just from your NAME and EMAIL address. He can then craft a very legitimate-looking phishing email and website to target and trap you. You need to take steps to protect yourself being a phishing victim.
Sometimes the phishing messages you get are easily identifiable because you don’t have an account with that specific company. But this time around, the phishing attacks will personally target you. It won’t be tomorrow, and it might not happen this year or next, but it will happen.
References:
