http://www.canada.com/news/arifsaha.com/4558021/story.html

Canadian consumers among victims of massive email security breach

By Gillian Shaw, Vancouver Sun April 5, 2011 Comments (4)

...

Canadian consumers are among those affected by a massive security breach that has seen customer names and emails stolen from dozens of high-profile companies, including Best Buy, Air Miles and Victoria’s Abe Books.

Also affected by the breach is The College Board, the company behind the SAT Reasoning Test and advanced placement (AP) exams taken by many Canadian students.

...

Millions of customers could be affected by the security breach at Epsilon, the largest distributor of permission-based email in the world and the company behind more than 40 billion marketing emails a year sent on behalf of more than 2,500 customers. Three of the United States’ 10 top banks — JP Morgan Chase, Citibank and U.S. Bank — along with Barclays Bank and Capital One were among Epsilon clients affected by the breach.

The breach, which Epsilon said Monday affected approximately two per cent of its clients, has hit such high-profile retailers and financial institutions as American Express, L.L. Bean, Best Buy, Disney Vacations and others on a list that is growing as consumers report receiving warning emails from companies telling them their data has been compromised.

...

“On March 30, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only.

“A rigorous assessment determined that no other personal identifiable information associated with those names was at risk.”

...

said there is no way of knowing how many people have been affected since Epsilon won’t name the companies involved and it has been left up to the companies to inform their customers.

...

The information the hackers got in the attack is enough to help them create very convincing emails purporting to be from legitimate organizations, Constable said. The phishing emails could be trying to elicit more information, such as passwords and credit card numbers, or they could be a means of downloading malicious software on a user’s computer.

“They could say ‘click here, enter your password,’” said Constable. “Chances are people will be susceptible to such an attack.”

...

“From my perspective any organization that carries Canadians’ information, personal information needs to be encrypted at both the storage level and at the network level.

...

Constable said people should never respond to emails from organizations, even ones they do business with, that are asking for their passwords, credit card numbers or other personal data. And they should never download programs offered, even if the sender promises they’ll get points or other rewards.

http://www.thestar.com/article/969130

Thousands more Canadians notified of email hacking Published

April 05, 2011

...

Customers of Air Miles Canada, Home Depot, 1-800-flowers, Moneygram, Eddie Bauer, and the Hilton hotel rewards system all reported receiving notices warning them that their email addresses had been stolen.

A dozen companies, including major U.S. banks, TiVo and Canadian retailers such as Best Buy Canada and TigerDirect have alerted customers to be wary of “phishing” emails using hacked data to send personalized messages trying to extract sensitive information.

At least 10 others have made no announcement, but word of the breach has come via their customers.

All of the companies use Epsilon, a U.S. marketing firm, to handle their email accounts. Epsilon, which calls itself the world’s largest “permission-based” email provider, first notified clients Friday of the security breach.

“The information that was obtained was limited to email addresses and/or customer names only,” the Dallas-based company said in a terse press release.

“No other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

...

Although most of the email breaches were with U.S. companies, Canadians were likely to be caught on customers lists of Epsilon clients such as the Home Shopping Network, LL Bean, Disney Destinations, AbeBooks, the Marriott, Ritz-Carlton and Red Roof hotel chains, and McKinsey & Co.

...

By posing as a trusted institution, the thieves could trick users into downloading software that can copy bank account numbers and passwords directly from the memory of personal computers, he said.

...

“Worse, customers who specifically asked to opt out of marketing emails were also affected. Opting out should mean genuine removal from the database.”

Marc Zwillinger, a Washington cyber-law attorney, said it was unlikely that customers could hold Epsilon liable for the loss of data, Bloomberg reported.

...


http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
 (scroll down for a list of affected companies)


http://www.bankinfosecurity.com/articles.php?art_id=3505
 (another list of affected companies)


http://news.google.com/news/more?ncl=d4hwF4178yQ1wjMPRZ3esRw3ABSnM