Monday, April 04, 2011

This may become the largest breach ever, measured by the number of individuals impacted...

And the hits just keep on coming for Epsilon

April 3, 2011 by admin

I think I’ll just use this blog entry to add further updates/entities to the Epsilon breach, so check back if you want to see what else has been reported. Here’s the current list, below. Links to documentation are in previous blog posts if not provided here:

JPMorgan Chase
Capital One
New York & Company
US Bank
Barclays Bank of Delaware (and Barclay’s L.L. Bean Visa card)
McKinsey Quarterly
College Board
Marriott Rewards
Ritz-Carlton Rewards
Disney Destinations (The Walt Disney Travel Company)
Benefit Cosmetics (see below)
Home Shoppers Network (HSN)

Best Buy
Best Buy Canada Reward Zone

Benefit Cosmetics. What’s significant about their report is that they appear to be former of Epsilon, raising the question of why their data were on the compromised server. Did the clients breach occur while they were still clients or did Epsilon not remove their data from their server after they stopped using their service?

An email sent to DataLossDB who shared it with this site, read:

While we wish this was about lipstick, we have important news regarding your email address.

We were just informed by a former email vendor that the database with our customers’ names and email addresses has been compromised by an unauthorized person. The only information at risk is your name and email address.

The vendor has assured us that “a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.” This data breach has also affected several other companies that work with this vendor.


A Rash of Third-Party Data Breaches Takes a Toll on Businesses and Customers

April 3, 2011 by admin

Last month I reported that both and Maine’s Dept. of Conservation had been hit by breaches at their third-party vendors. Game Show Network (GSN) customers were also notified of a breach at a third-party vendor, but I didn’t report it at the time because I was trying to get confirmation from the company whether the breach was due to a compromise involving ExactTarget – the same vendor that may have been involved in a breach that was also reported recently. Although original media reports suggested that the breach might have been due to an SQL injection, some other reports suggest otherwise.

A GSN spokesperson tells

Yes, unauthorized access occurred to our email lists that led to fraudulent emails being sent to many of our players. We’re taking this matter very seriously and we are working with law enforcement to investigate the matter. We have identified the source and scope of the compromise and have been in touch with our players who clicked on the link in the fraudulent email. It’s important to note that no email lists were stolen, nor was any of our players’ personal information (credit card information, addresses, passwords, etc.) accessed or stolen. While opening the email message will not damage a recipient’s computer, we advised those players that if they entered personal information, made a purchase, or downloaded a file, they should contact their credit card company and run a virus scan as a safety precaution.

The spokesperson would not say whether the breach was at ExactTarget and they declined to indicate how many of their customers were affected. Other evidence, however, in the form of email headers sent to and posted to online forums suggest that the GSN breach was due to a breach at ExactTarget.

ExactTarget did not respond to requests for a statement. Nor did, another client of theirs who had at least one customer receive a phishing attempt sent to a unique email address he only used for their mailing list. If ExactTarget was breached, it is somewhat surprising that we have not seen a lot of press releases from their clients who needed to notify customers.

Elsewhere, Fahmida Y. Rashid of eWeek reported:

Three recent data breaches at third-party Web service providers highlight the importance of organizations making sure customer data outside of the company is protected.


There have been other data breaches at third-party providers recently., an online seller of CDs, DVDs, books and apparel, notified customers on March 23 that its third-party marketing company’s database had been breached. CEO John Perkins told customers via’s Facebook page that the email marketing company is Silverpop, which was attacked a few months ago.


The agency claims none of the email addresses was affected by that episode, according to Perkins. It is not clear at this time whether email addresses and names were stolen during that attack, or if attackers got into Silverpop again more recently.

With respect to that last point, Tom Espiner of ZDNet writes:

Silverpop told ZDNet UK on Tuesday that it had suffered a breach in the autumn of 2010, but did not believe that this was affecting customers.

“While we are reviewing all possibilities, it’s difficult for us to directly connect the 2010 incident with specific spam messages sent this year,” said Silverpop spokeswoman Stacy Kirk.

Rashid also reported:

Users on Game Show Network forums reported receiving similar fake Adobe Acrobat/Reader spam on March 20. An examination of the email headers revealed the messages were being sent from GSN’s marketing company, ExactTarget. TripAdvisor has been an ExactTarget client since 2008, according to the company’s previous announcements.

Brian Krebs originally broke the story about these spear phishing attacks back in November, and provided an update in December.

Are the recent rash of breaches the results of November attacks, or do they represent a newer rash of attacks as cybercriminals recognize how easy it may be to gain access to huge databases of email addresses?

And of course, now there’s the Epsilon breach.

With so many obvious compromises, isn’t it time for companies to be a bit more transparent about whether their customers’ email addresses have been acquired, and if so, who was the vendor involved?

At times like these, I’m really glad I use disposable or self-expiring email addresses when I sign up for some things.

About time! We're going to need Best Practices as Everyone starts using Social Media to communicate with customers and employees...

April 03, 2011

Best Practices Study of Social Media Records Policies

Best Practices Study of Social Media Records Policies, ACT-IAC Collaboration & Transformation (C&T) Shared Interest Group (SIG), March 2011

  • "Government agencies are increasingly incorporating Web 2.0 collaborative technologies, also known as social media, such as wikis and blogs, in conducting agency business. Federal recordkeeping requirements include developing and implementing policies for Federal records and cover records from social media.

  • The purpose of this study is to build a discussion around the use of social media to help government and its citizens connect more closely, collaboratively, and openly. The study involved interviews at 10 agencies regarding records management processes addressing the use of social media. The ACT-IAC Collaboration & Transformation Shared Interest Group (C&T SIG) sought to explore and identify government best practices of records policies for social media used to support agency missions. The team found that active use of social media tools has identified some challenges for recordkeeping, but also has allowed some best practices to surface which agencies are following or need to follow to address the challenges."

(Related) I must assume that all social network communications and probably all SMS (Short Message Service) texts would fall under CAN-SPAM as well.

CAN-SPAM Held to Apply to Social Media Messaging

April 3, 2011 by Dissent

Timothy Tobin writes:

On March 28, 2011, the U.S. District Court for the Northern District of California held, in Facebook, Inc. v. MAXBOUNTY, Inc., case no. CV-10-4712-JF, that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act. The court, in denying the defendant MAXBOUNTY’s motion to dismiss, rejected that CAN-SPAM applies only to traditional e-mail as it is commonly understood. The ruling is the most expansive judicial interpretations to date of the types of messages falling within the purview of the CAN-SPAM Act. The court did not reach or otherwise address the underlying merits of the CAN-SPAM claims.

Read more on Hogan Lovells Chronicle of Data Protection.

A guide for the technically naive (ignorant)

States Attempt to Address Privacy Risks Associated with Digital Copiers and Electronic Waste

April 3, 2011 by Dissent

On April 1, 2011, a New York law went in effect requiring retailers of certain electronic equipment to institute electronic waste collection programs and to provide information to consumers on how to “destroy all data on any electronic waste, either through physical destruction of the hard drive or through data wiping.” Manufacturers of devices that have hard drives capable of storing personal information or other confidential data must include instructions describing how consumers can destroy such data before recycling or disposing of the devices, and businesses that sell products with hard drives must inform customers at the point of sale where the data destruction information can be located.

Read more on Hunton & Williams Privacy and Information Security Law Blog.

A “How to” guide for Google?

April 03, 2011

A Guide For the Perplexed Part IV: The Rejection of the Google Books Settlement

A Guide For the Perplexed Part IV: The Rejection of the Google Books Settlement, by Jonathan Band

  • "On March 22, 2011, Judge Denny Chin rejected the proposed settlement in copyright infringement litigation over the Google Library Project. Judge Chin found that the settlement was not “fair, reasonable, and adequate” as required by the Federal Rules of Civil Procedure. Judge Chin issued the decision over a year after the fairness hearing he conducted. His opinion agrees in large measure with the objections to the settlement asserted by the U.S. Department of Justice at the hearing and in its written submissions. This paper discusses the opinion and where it leaves Google Books Search."

I see this as the future of Scientific Journals. Other journals (e.g. Law) as well.

April 03, 2011

Open access, readership, citations: a randomized controlled trial of scientific journal publishing

Open access, readership, citations: a randomized controlled trial of scientific journal publishing, Philip M. Davis, Department of Communication, Cornell University, Ithaca, New York

  • "Does free access to journal articles result in greater diffusion of scientific knowledge? Using a randomized controlled trial of open access publishing, involving 36 participating journals in the sciences, social sciences, and humanities, we report on the effects of free access on article downloads and citations. Articles placed in the open access condition (n=712) received significantly more downloads and reached a broader audience within the first year, yet were cited no more frequently, nor earlier, than subscription-access control articles (n=2533) within 3 yr. These results may be explained by social stratification, a process that concentrates scientific authors at a small number of elite research universities with excellent access to the scientific literature. The real beneficiaries of open access publishing may not be the research community but communities of practice that consume, but rarely contribute to, the corpus of literature." FASEB J. 25, 000–000 (2011).

No comments: