Somebody stole email addresses and names from marketing firm Epsilon, but apparently didn't get anything else.
When I opened my email this
morning (meaning when I peered at my BlackBerry over my morning coffee), I
scrolled past the usual notices of comments to last week's columns and found
warnings waiting for me. The first one was from Hilton, who told me that my email
address had been compromised. There were several others. These were the first
indications of the Epsilon
data breach that became apparent over the weekend.
The warnings from these companies
explained that it's possible that spam emails might show up, and that they may
contain information that's intended to get the recipients to reveal additional
personal information. The warnings also included information about reporting
these emails to the security offices at the respective companies, and said
never to reveal anything personal in response to any email, whether it appeared
to be from the company involved or from someone else.
What the companies didn't say, but
which you should be aware of, is that the emails may go to other people and
appear to be from you. In other words, recipients would see your email address
in the "from" line as the spammers (or scammers) spoofed the address as a way
to get past spam filters. Of course, spam filters these days examine the
content of an email as a primary means of blocking spam, but once an email from
you is determined to be spam, you could find your email address starting to show
up on the lists of blocked email addresses of other people. This is a fairly
annoying event that's hard to erase.
Your first indication that spammers are
using your email address is a note from a friend asking you about it. But you
are just about as likely to get emails that seem to be addressed from yourself
to yourself. The spammers usually think that your own spam filter isn't going
to block your own address, and sometimes they're right.
You may also find that emails you send
to other people are simply not arriving. The person you're sending to probably
won't know why unless they check their spam filter regularly. When this happens,
it's possible to get the administrator at the other site to remove you from the
spammer list, but your success may vary.
A more long-term solution is to create
what is essentially a disposable email address on Gmail, Hotmail or one of the
other free Web mail services. When it starts to collect too much spam, stop
using it and open another one. Tell the people you care about what the new
address is. Meanwhile, don't give out your email address to anyone unless
there's a very good reason-and registering for a Website usually isn't a good
reason. Once they send the confirmation email and you respond, all you're going
to see in the future is spam or spam-like mail. Telling them to stop probably
won't work, thus the value of the disposable email address.
However, back to the Epsilon breach.
Apparently what the data loss exposed were email addresses and names. In some
cases, it was limited to first names, a fact that I'm sure I'll be able to
confirm eventually, since one of the companies that had its data exposed
insists that my first name is "Garry."
So while Epsilon did indeed lose some
data, it's data that's probably already available to spammers. So, in this
case, the worst that's likely to happen is that your overall spam volume will
increase. However, if your company's or ISP's spam filter is working right, you
may never notice. But you should still pay attention to attempts to get
additional information from you using emails, some of which will likely tell
you there's been a data breach, and to click "Here" to confirm the details of
your account. Whatever you do, don't click there.
It's also a good time to examine your
use of your email address. You should be paying attention to exactly who gets
your real address, and who gets the one that goes to a free Web mail service.
You can even create tiered email accounts, so that you have one just for stuff
where you never care if you see the email, and one that you have to monitor,
but which you can change if you need to. I have two Gmail accounts for this
purpose, one of which I check only often enough to keep it active.
While this may sound like more work
than you'd like, in the long run, it's a lot safer than giving out your real
permanent email address for the whole world to see. So the Epsilon breach isn't
exactly the end of the world, but you need to be aware of it, and you need to
be sure you don't assume that just because an email comes from a person or
company you think you know, that it's really from them. But you should have
been making that assumption all along.
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.
He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.