Data breach hits home; Kroger, banks among those affected
LOUISVILLE, Ky. (WDRB Fox 41) -- Warning!
Hackers and scammers may now have your name and email address from any number of big businesses in the country.
You may have received emails from those businesses alerting you to the problem, and now there's one more thing you need to do.
Stores like Kroger say the keeper of their customer information suffered a huge breach of data late last week.
Hackers got some of your information, but not all.
"Maybe the good news is that it appears to be limited to customer names and email addresses. No financial information has been stolen from anything we've seen. Just names and email addresses, and those email addresses are likely to fall into the hands of malicious people," explained Charlie Mattingly of the Louisville Better Business Bureau.
The BBB has received plenty of calls asking what to do.
The breach in a company called Epsilon first became public locally in an email from Kroger to its customers.
Kroger sent out that email Friday evening and other companies followed suit through Monday.
Other businesses affected include Walgreens...
...J. P. Morgan/Chase bank...
Marriott hotels, Citigroup, Capital One, Barclays Bank, TiVo, New York and Company and even the College Board, the administrators of SATs and other college tests.
"We give our data to these people, and we trust them to be careful with it, and they don't," said Louisville resident Joseph Impellizzeri.
John Impellizzeri buys groceries at Kroger.
He buys online from Best Buy.
The breach touches him at least twice, and others maybe even more so.
So what to do?
Ignore any emails asking for any personal information, especially if they appear legitimate from those businesses.
"Never respond to an email request for personal identifying information like passwords, account numbers, social security numbers. No legitimate business is going to ask for those by email," Mattingly said.
"I'm very concerned, I'll have to watch my credit card statements," Impellizzeri said.
"I don't respond to phishing emails, because they ask for credit card information or date of birth."
Further tips on keeping your email and personal data secure comes from these links:
Further information on the national scope of the breach comes from the following Associated Press article Monday afternoon:
NEW YORK (AP) -- With the possible theft of millions of email addresses from an advertising company, several large companies have started warning customers to expect fraudulent emails that try to coax account login information from them.
Companies behind such brands as Chase, Citi and Best Buy said over the weekend that hackers may have learned their email addresses because of a security breach at a Dallas-based company called Epsilon that manages email communications.
The email addresses could be used to target spam. It's also a standard tactic among online fraudsters to send emails to random people, purporting to be from a large bank and asking them to login in at a site that looks like the bank's site. Instead, the fraudulent site captures their login information and uses it to access the real account.
The data breach could make these so-called "phishing" attacks more efficient, by allowing the fraudsters to target people who actually have an account with the bank.
David Jevans, chairman and founder of the non-profit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate phishing toward more intelligent attacks known as "spear phishing," which rely on having more intimate knowledge of the victims.
"This data breach is going to facilitate that in a big way. Now they know which institution people bank with, they know their name and they have their email address," said Jevans, who is also the CEO of security company IronKey Inc.
"You're not going to see typical phishing where 90 percent of it ends up in spam traps and is easily detected. This is going to be highly targeted," he added.
Among the affected are financial-service companies such as Capital One Financial Corp., Barclays Bank, U.S. Bancorp, Citigroup Inc., JPMorgan Chase & Co. and Ameriprise Financial Inc. and retailers including Best Buy Co., TiVo Inc., Walgreen Co. and Kroger Co.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.
Walt Disney Co.'s travel subsidiary, Disney Destinations, sent emails warning customers on Sunday. Hotel chain Marriott International Inc. issued a similar warning.
Epsilon said Friday that its system had been breached, exposing email addresses and customer names but no other personal information.
Epsilon, a unit of Alliance Data Systems Corp., sends more than 40 billion emails annually and has more than 2,500 clients.
Shares of the parent company fell $2.78, or 3.2 percent, to $83.15 in early afternoon trading Monday.
The scale of the data breach meant that many people got warnings from multiple companies over the weekend.
Jill Kocher in Crystal Lake, Ill., said she got at least five emailed warnings, including from U.S. Bank, Best Buy and New York & Co.
Because she works for Groupon, an Internet coupon company, she feels savvy enough to avoid any phishing come-ons, but she's concerned for those who aren't.
"U.S. Bank sends you an email and it looks legit and you cough up the information, and now you're in big trouble. It sure does sound like a big increase in fraud, just waiting to happen," Kocher said.
The Epsilon breach follows another major hacking attack in recent weeks.
RSA, the security division of EMC Corp., acknowledged last month that its computer network was hacked. The implications are serious because RSA's technology underpins the security of some of the world's most closely guarded data.
RSA makes security "tokens" that supply constantly changing numbers that are used as a kind of secondary passwords for accessing corporate networks and e-mail. The military, big banks, health insurers and other critical institutions are customers.
If the attacker managed to steal the codes that determine which numbers appear on the tokens, that information can be used to perform mass infiltrations -- if the attacker already has other information about the targets, which can be gleaned from the type of "spear phishing," or targeted phishing, e-mails that the Epsilon breach can enable.
"I'm a little concerned that there's a big pattern going on here of very major breaches, where if you combine that information together, you could launch some pretty major attacks that would be very successful," Jevans said.
Epsilon is a big moneymaker for Alliance Data Systems, which is based in Plano, Texas.
Epsilon made $65 million in operating profit last year, and its $613.3 million in revenue was 22 percent of Alliance Data Systems' total.
Epsilon touts the breadth of the data it collects, and its ability to pair that with customers' e-mail lists for more targeted sales pitches for new products.
In a regulatory filing, the company said it has collected consumer transaction data from more than 1,500 marketing firms and operates what it bills as the world's biggest permission-based e-mail marketing platform.
AP Technology Writer Jordan Robertson in San Francisco contributed to this report.
(Copyright 2011 by The Associated Press. All Rights Reserved.)