Epsilon Data Breach Could Have Been Worse

Somebody stole email addresses and names from marketing firm Epsilon, but apparently didn't get anything else.

When I opened my email this morning (meaning when I peered at my BlackBerry over my morning coffee), I scrolled past the usual notices of comments to last week's columns and found warnings waiting for me. The first one was from Hilton, who told me that my email address had been compromised. There were several others. These were the first indications of the Epsilon data breach that became apparent over the weekend.

The warnings from these companies explained that it's possible that spam emails might show up, and that they may contain information that's intended to get the recipients to reveal additional personal information. The warnings also included information about reporting these emails to the security offices at the respective companies, and said never to reveal anything personal in response to any email, whether it appeared to be from the company involved or from someone else.

What the companies didn't say, but which you should be aware of, is that the emails may go to other people and appear to be from you. In other words, recipients would see your email address in the "from" line as the spammers (or scammers) spoofed the address as a way to get past spam filters. Of course, spam filters these days examine the content of an email as a primary means of blocking spam, but once an email from you is determined to be spam, you could find your email address starting to show up on the lists of blocked email addresses of other people. This is a fairly annoying event that's hard to erase.

Your first indication that spammers are using your email address is a note from a friend asking you about it. But you are just about as likely to get emails that seem to be addressed from yourself to yourself. The spammers usually think that your own spam filter isn't going to block your own address, and sometimes they're right.

You may also find that emails you send to other people are simply not arriving. The person you're sending to probably won't know why unless they check their spam filter regularly. When this happens, it's possible to get the administrator at the other site to remove you from the spammer list, but your success may vary.

A more long-term solution is to create what is essentially a disposable email address on Gmail, Hotmail or one of the other free Web mail services. When it starts to collect too much spam, stop using it and open another one. Tell the people you care about what the new address is. Meanwhile, don't give out your email address to anyone unless there's a very good reason-and registering for a Website usually isn't a good reason. Once they send the confirmation email and you respond, all you're going to see in the future is spam or spam-like mail. Telling them to stop probably won't work, thus the value of the disposable email address.

However, back to the Epsilon breach. Apparently what the data loss exposed were email addresses and names. In some cases, it was limited to first names, a fact that I'm sure I'll be able to confirm eventually, since one of the companies that had its data exposed insists that my first name is "Garry."

So while Epsilon did indeed lose some data, it's data that's probably already available to spammers. So, in this case, the worst that's likely to happen is that your overall spam volume will increase. However, if your company's or ISP's spam filter is working right, you may never notice. But you should still pay attention to attempts to get additional information from you using emails, some of which will likely tell you there's been a data breach, and to click "Here" to confirm the details of your account. Whatever you do, don't click there.

It's also a good time to examine your use of your email address. You should be paying attention to exactly who gets your real address, and who gets the one that goes to a free Web mail service. You can even create tiered email accounts, so that you have one just for stuff where you never care if you see the email, and one that you have to monitor, but which you can change if you need to. I have two Gmail accounts for this purpose, one of which I check only often enough to keep it active.

While this may sound like more work than you'd like, in the long run, it's a lot safer than giving out your real permanent email address for the whole world to see. So the Epsilon breach isn't exactly the end of the world, but you need to be aware of it, and you need to be sure you don't assume that just because an email comes from a person or company you think you know, that it's really from them. But you should have been making that assumption all along.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...