Friday, April 08, 2011

This is going to take a shelf full of books to document...

And the hits just keep on coming for Epsilon

April 3, 2011 by admin

Note: CBS reports that the Secret Service is investigating the Epsilon breach. If you receive a phishing attempt that you want to report to the Secret Service, email You can also file a report at I’ll add businesses to the list of affected customers as I become aware of them, so check back if you want to see what else has been reported. See Brian Krebs’ commentary on the fears about spear phishing as a result of this breach.

  1. 1-800-FLOWERS

  2. AbeBooks

  3. AIR MILES Reward Program (Canada)

  4. Ameriprise

  5. Barclays Bank of Delaware (BJ’s Visa, L.L. Bean Visa)

  6. Beachbody

  7. bebe

  8. Best Buy

  9. Best Buy Canada Reward Zone

  10. Benefit Cosmetics (see below)

  11. Brookstone

  12. Capital One

  13. Charter Communications

  14. Citi (ExxonMobil, Card,Home Depot Card, NTB Card, The Place)

  15. City Market

  16. College Board

  17. Crucial

  18. Dell Australia

  19. Dillons

  20. Disney Destinations (The Walt Disney Travel Company)

  21. Eddie Bauer Friends

  22. Eileen Fisher (doesn’t name Epsilon but same template letter)

  23. Ethan Allen

  24. Eurosport Soccer (

  25. Food 4 Less

  26. Fred Meyer

  27. Fry’s

  28. Hilton Honors

  29. Home Shopping Network (HSN)

  30. Jay C

  31. JPMorgan Chase

  32. King Soopers

  33. Kroger

  34. Lacoste (and as per TG Daily)

  35. Marriott Rewards (FAQ on site)

  36. Marks & Spencer

  37. McKinsey Quarterly

  38. MoneyGram

  39. New York & Company

  40. QFC

  41. Ralphs

  42. Red Roof Inn

  43. Ritz-Carlton (FAQ)

  44. Robert Half International

  45. Scottrade

  46. Smith Brands

  47. Stonebridge Life Insurance

  48. Target

  49. Tastefully Simple

  50. TD Ameritrade


  52. TiVo

  53. US Bank

  54. Verizon

  55. Viking River Cruises

  56. Walgreens

  57. World Financial Network National Bank (Ann Taylor, Catherine’s, Chadwick’s, Dressbarn, Express card, Fashion Bug, Giant Eagle fuelperks!, J Crew, Lane Bryant, Maurice’s, PotteryBarn/Kids/Teens, RadioShack, Sears, Smile Generation Financial, The Limited, United Retail Group (Avenue, Jessica London, OneStopPlus), Value City Furniture, Victoria’s Secret)

Thanks to all those who have copied and pasted in the emails you have received. If you have something you think I’m missing, please check the list first to see if I already have the name of the company and a linked copy of the notice (bank cards are under the name of the issuing bank), and if not, post away!

Benefit Cosmetics. What’s significant about their report is that they appear to be former clients of Epsilon, raising the question of why their data were on the compromised server. Did the breach occur while they were still clients or did Epsilon not remove their data from their server after they stopped using their service?

An email sent to DataLossDB who shared it with this site, read:

While we wish this was about lipstick, we have important news regarding your email address.

We were just informed by a former email vendor that the database with our customers’ names and email addresses has been compromised by an unauthorized person. The only information at risk is your name and email address.

The vendor has assured us that “a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.” This data breach has also affected several other companies that work with this vendor.

(Related) If the “breachee” is responsible for notifying the customers of their customers, what are the implications for Cloud Computing?

Who should be notifying consumers about the Epsilon breach?

April 7, 2011 by admin

Senator Richard Blumenthal, a staunch consumer privacy advocate, has said that Epsilon should be notifying every consumer whose data were involved in the recent humongous breach. You can read his entire letter to Attorney General Eric Holder requesting an investigation on his web site, but here’s part of what he wrote:

I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft.


I believe that affected individuals should be notified and provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Epsilon or its affected clients. I believe it is also necessary to provide every affected individual with sufficient insurance to protect them against possible financial consequences of identity theft.

Who Should Send Us the Notifications?

Should Epsilon be sending us the notifications – as Senator Blumenthal’s letter would seem to suggest – or should the company who gave our data to them be sending us the notifications?

[How about “Fourth Party” actors? Bob] If you have an account with a store and got a branded credit card through World Financial Network National Bank (WFNNB), WFNNB sent you the notification and apology email. They told you that their email was about [name of store where you have an account], but it was their email to you – not the store’s.

So you got the important information to be alert to phishing attempts, but you probably didn’t hear from the store. Are you okay with that? It was WFNNB who had the contract with Epsilon (or so it seems from their notification email text), but whom do you feel you have the relationship with – the store or WFNNB?

Who owes you the apology as well as the information?

And who should be accountable for this? The store or WFNNB – or both?

You trusted the store. They trusted WFNNB. WFNNB trusted Epsilon. But it all started with consumer trust in the store. And I think we need to hold the stores (or hotels or financial institutions) accountable if they want to keep our trust and our business. For that reason, I’ve been including all of their names in the running list of affected entities even though most other sites keeping tabs have not taken this approach and might just list WFNNB.

I’d also point out that on practical and safety levels, even if we had gotten an email from Epsilon (as the Senator urges), would most of us have even opened it, much less believed it – or would we have just looked at the subject line and deleted it as probably spam or a phishing attempt?

What do you think? You can sound off in the Comments section.

Here's one we haven't heard from in some time. I'm certain this will get all the attention it deserves.

T.J.Maxx hacker says feds gave him the OK

Albert Gonzalez, the hacker who pleaded guilty to leading one of the largest cases of credit card theft in the U.S., is asking a judge to toss out the pleas, arguing that they were part of his assignments as a paid government informant.

"I still believe that I was acting on behalf of the United States Secret Service and that I was authorized and directed to engage in the conduct I committed as part of my assignment to gather intelligence and seek out international cybercriminals," Gonzalez wrote in a 25-page petition filed March 24 with the U.S. District Court in Massachusetts and published on the Threat Level blog. "I now know and understand that I have been used as a scapegoat to cover someone's mistakes."

“Hey, our degrees are in education. They never trained us to count!”

(update) More Student SSNs Were At Risk, TEA Says

April 7, 2011 by admin

Morgan Smith reports that a breach involving the Texas Education Agency was much worse than originally reported. An unencrypted disk containing data on almost 25,000 Laredo Independent School Districtast month, the TEA reported that an students had gone missing. But when the Texas Tribune obtained records about the breach, they discovered that there were data on 164,406 students who graduated from eight Texas school districts over the past two decades that had been sent via unencrypted disks.

The data were for students who graduated between 1992 and 2010 in the top 10% of their classes in the Crowley, Harlingen, Round Rock, Killeen, Richardson, Irving, Mansfield, and Grand Prairie school districts.

Between August (2010) and January (2011), the districts mailed unencrypted CDs loaded with students’ Social Security Numbers, dates of birth and ethnicity — data requested by the University of Texas at Dallas ’ Education Research Center — to the TEA, with the expectation that the TEA would deidentify the records and pass them along to UT-Dallas.


A TEA spokeswoman told the Tribune today that Laredo ISD’s data set is the only one believed to be missing. [“Of course, we didn't know about the other 140,000 students either” Bob] The January memo says the agency has since destroyed the CDs from the eight districts whose information it did receive.

Read more in the Texas Tribune.

I would expect any judge to do this, but I have one of those “I'm not a lawyer” questions. Shouldn't someone from the Patent Office be explaining this to the Judge? If they explained it the way Oracle said it should work wouldn't that end the case? What did the Patent Office think they were granting a Patent for?

Judge In Oracle-Google Case Given Crash Course in Java

"Lawyers for Oracle and Google gave Judge William Alsup of the U.S. District Court in San Francisco an overview of Java and why it was invented, and an explanation of terms such as bytecode, compiler, class library and machine-readable code. The tutorial was to prepare him for a claim construction conference in two weeks, where he'll have to sort out disputes between the two sides about how language in Oracle's Java patents should be interpreted. At one point an attorney for Google, Scott Weingaertner, described how a typical computer is made up of applications, an OS and the hardware underneath. 'I understand that much,' Alsup said, asking him to move on. But he had to ask several questions to grasp some aspects of Java, including the concept of Java class libraries. 'Coming into today's hearing, I couldn't understand what was meant by a class,' he admitted."

Senator, your STD test results are back...”

Doctor visit text reminders violate patient privacy: Swedish health board

By Dissent, April 8, 2011

The Swedish health authorities have made a privacy-protective ruling about text messaging patients:

Text message reminders for appointments with doctors or dentists may soon be a thing of the past in Sweden.

The National Board of Health and Welfare (Socialstyrelsen) have found them to be in breach of their rules on patient confidentiality.

“It is against our rules. The texts contain patient information and must therefore be handled securely,” Anders Printz of the National Board of Health and Welfare said to daily Dagens Nyheter (DN).

Today, many health care providers in Sweden use text messages to remind patients of looming appointments. But now this will have to cease. At least for the time being.

The rules apply to both dentists’ and doctors’ appointments and it makes no difference if the patient has agreed to be contacted by text message.

Read more in The Local (Se)

I admit I’ve never even thought about this issue as I don’t text anyone, period, but in light of this news story, I wonder how many U.S. health care professionals use text messages to communicate with patients. I hope none, but I wouldn’t be surprised to hear that it goes on.

[From the article:

The National Board of Health and Welfare argue that because the traffic is not encrypted there is no way of making sure that the texts reach the right person.

… The Swedish Public Dental Service (Folktandv√•rden) is one health care provider that has made good use of text message reminders. They think that the reasoning around text messages is surprising.

“It seems strange that it wouldn’t be allowed to send text messages to those patients that have agreed to it. If they give us their phone number we are allowed to phone them,” Irene Smedberg of the Public Dental Service said to DN.

(Related) “Citizens! Give us your personal information so we can protect it! If you don't voluntarily surrender this information, we'll assume you have something to hide...”

Report: U.S. to issue terror alerts via Facebook, Twitter

The Department of Homeland Security plans to replace its color-coded, five-level system of terrorism alerts with a new two-tiered approach later this month and will issue some public alerts via Facebook and Twitter, according to a report.

The Associated Press said it had obtained a confidential, departmental document outlining the plan, which, though not yet finalized, should go into effect by April 27.

According to the AP, the new plan will ditch the notoriously perplexing, green-to-red, low risk–to–severe risk system put in place in 2002 with a two-level system that labels threats as either "elevated" or "imminent." [Do you know if those “levels” connect with any specific regulatory power? If it was possible to have a “Nothing To Worry About” level, would there be a cut in funding? Bob]

“We've gotta DO something!”

TSA Is Taking Steps to Validate the Science Underlying Its Passenger Behavior Detection Program, but Efforts May Not Be Comprehensive

As GAO reported in May 2010, TSA deployed its behavior detection program nationwide before first determining whether there was a scientifically valid basis for the program. According to TSA, the program was deployed before a scientific validation of the program was completed in response to the need to address potential security threats. However, a scientific consensus does not exist on whether behavior detection principles can be reliably used for counterterrorism purposes, according to a 2008 report of the National Research Council of the National Academy of Sciences.

For my Ethical Hackers

Schneier's blog tips an article about research into geolocation that can track down a computer's location from its IP address to within 690 meters on average without voluntary disclosure from the target. Quoting:

"The first stage measures the time it takes to send a data packet to the target and converts it into a distance – a common geolocation technique that narrows the target's possible location to a radius of around 200 kilometers. Wang and colleagues then send data packets to the known Google Maps landmark servers in this large area to find which routers they pass through. When a landmark machine and the target computer have shared a router, the researchers can compare how long a packet takes to reach each machine from the router; converted into an estimate of distance, this time difference narrows the search down further. 'We shrink the size of the area where the target potentially is,' explains Wang. Finally, they repeat the landmark search at this more fine-grained level: comparing delay times once more, they establish which landmark server is closest to the target."

No doubt this will confuse those in the Academic community who refuse to allow their students to use Wikipedia...

Editing Wikipedia Helps Professor Attain Tenure

"Lianna Davis writes in Watching the Watchers that Michel Aaij has won tenure in the Department of English and Philosophy at Auburn University Montgomery in Alabama in part because of the more than 60,000 edits ... he's written for Wikipedia. ... Aaij felt that his contributions to Wikipedia merited mention in his tenure portfolio and a few weeks before the portfolio was due two of his colleagues suggested, after they had heard him talk once or twice about the peer-review process for a Good Article, that he should include it under 'research' as well as well as 'service.'"

No comments: