Epsilon: a Watershed for an Industry Under Siege
Last week, consumers in the U.S. were bombarded with e-mail messages warning them of what may be the most widely felt data breach in U.S. history. A company that most of them had never heard of, Epsilon Interactive, had been compromised and their names and e-mail addresses had been stolen.
For a few days, it seemed that almost everyone was getting a warning message. The notes all struck the same tone: "Email files have been accessed without authorization," said one, sent to holders of the Dressbarn credit card. "You could receive some spam email messages. We sincerely apologize."
The breach left many victims uneasy, rather than outright scared. After all, these are stolen e-mail addresses, not Social Security numbers or bank account details. Brian Jacobs is a typical victim. An IT manager with the city of Rockport, Texas, he woke up on Monday, April 4 to a warning e-mail from his former employer, staffing firm Robert Half International, telling him that his e-mail address had been taken. With nothing more in the balance, Jacobs said he wasn't particularly worried, but he didn't feel good either. "When they said, 'They just got your e-mail address,' it's like, 'Well, that's what you're telling me today. Are you going to be telling me something else tomorrow?'" he said.
One thing that neither Epsilon nor its parent company, marketing giant Alliance Data, are discussing is the fact that the Epsilon breach is just the latest development in a long-running campaign to hack into the service companies that pump out the bulk of the nation's sales coupons, air miles account updates, and friendly reminders that make up legitimate marketing e-mail campaigns. There are hundreds of these companies out there, ranging from small mom-and-pop operations to large subsidiaries of publicly traded corporations like Epsilon. And over the past year, spammers have been trying to break into them with a vengeance.
"There has been a series of attacks on e-mail service providers that has been occurring since December 2009," said Neil Schwartzman, executive director with CAUCE (the Coalition Against Unsolicited Commercial Email), an anti-spam advocacy group. "About a dozen ESPs were hacked over the course of 2010."
That's particularly worrying because while Schwartzman and others say that many ESPs have been hacked, only four companies have admitted that they were compromised: Epsilon, Silverpop, AWeber Communications and ReturnPath, a company that sells services to ESPs.
With many of these attacks, the criminals target clients of the e-mail service provider. They take over their corporate accounts and then use them to send spam -- often fake Skype or Adobe reader updates that actually contain malicious software.
Schwartzman knows a lot about the problem. He is formerly senior director of security strategies with ReturnPath, which was hit by hackers late last year. ReturnPath isn't an ESP, but it sells deliverability services to more than 2,000 ESPs, including Epsilon. These deliverability services are extremely important to ESPs because they help them get their legitimate marketing e-mail through spam filters.
All of this gets turned on its head when an ESP is hacked. It's a spammer's fantasy come true. The criminal gets client e-mail addresses along with the names of companies those people do business with -- all you need for a targeted "spear phishing" attack. And by using the e-mail service provider to send out his spam, the bad guy gets a near-guarantee that his scam messages will get through anti-spam filters.
When ReturnPath was hacked, criminals stole e-mail addresses belonging to 13,000 of its users -- ESP employees and marketing professionals who had accounts with the ESPs. Some believe that a November 2009 attack on ReturnPath may have given hackers a stepping stone to launch attacks on thousands of accounts at ESPs that used ReturnPath's services.
Last year, ReturnPath said that e-mail operations employees at more than 100 ESPs and gambling sites had been hit with targeted phishing attacks. Victims would get an e-mail specially targeted to them with a link to a website that then tried to install malicious password-stealing software on their computers. "This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems," ReturnPath said in a blog posting, written by Schwartzman. "Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable."
In many of these cases, overseas criminals apparently broke into ESP accounts and then used them to send spam. Criminals use hacked accounts to send links to questionable Adobe Reader updates, which could be pirated software, or worse -- malicious Trojan horse programs, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.
Silverpop's breach reportedly affected hundreds of companies, including McDonald's. And some of them were promptly phished and spammed by scammers looking to steal sensitive information, using the Silverpop e-mail system.
Epsilon had problems last year too. In December 2010, Walgreens warned clients that someone had stolen its e-mail marketing list and was using it in phishing attacks, asking for Social Security numbers and credit card accounts. Walgreens, which was hit again by this latest Epsilon breach, used Epsilon as its e-mail service provider at the time of the December 2010 incident, said Tiffani Washington, a spokeswoman for the drugstore chain.
All three of the compromised ESPs -- AWeber, Silverpop and Epsilon -- have business relationships with ReturnPath. However, with so many ESPs under attack for so long, it's not clear whether the ReturnPath attack can be linked to any of the other hacks, including the recent Epsilon breach, now thought to have affected about 60 companies, including Verizon, Citibank and JPMorgan Chase.
In fact there's an important difference between the recent Epsilon incident and other ESP hacks, Warner said. "The primary difference between Silverpop and Epsilon is that in the Silverpop case, criminals managed to send e-mails through the Silverpop system," he said. In the Epsilon case they only downloaded data.
But if the marketing industry doesn't address the problem, it could lead to a meltdown in consumer confidence and the possibility of government regulation, said Craig Spiezle, executive director with the Online Trust Alliance. "This is a serious problem," he said. "It's the tip of the iceberg here."
Spiezle's group, which includes marketers, Internet service providers and security companies, has been trying to encourage e-mail service providers to beef up their security game. But Spiezle and others say that while some marketers and advertising networks take security seriously, many do not. "Security was not a design fundamental of what they created," Spiezle said. "Today they've underinvested and underanticipated the impact of the cybercriminal."
It's a problem that the e-mail marketing industry would very much like to see go away. The Direct Marketing Association (Epsilon CEO Bryan Kennedy is a board member) initially wouldn't comment in detail on the problem of targeted attacks against e-mail service providers. But on Sunday, spokeswoman Sue Geramian said that the marketing industry association is putting together a special task force to look at the situation and possibly revise the group's guidelines relating to data breaches.
One veteran e-mail marketer, who spoke on condition of anonymity, said that industry opinion about whether there will be long-term backlash over Epsilon is "almost evenly divided."
"Of course they want it to blow over because if it doesn't blow over, people are going to stop clicking on 'I agree,'" he said, referring to the check boxes that customers check on Web forms to allow further e-mail contact. These are the consent agreements that keep legitimate e-mail marketers in business. He added, "Some people are actually seeing their opt-in numbers go down. In the industry, they're kind of whispering about that."