Over the past weekend there was a fairly significant data breach at a company called Epsilon. Epsilon manages various aspects of online marketing and marketing services to companies like Best Buy, Disney Vacations, Citibank, JP Morgan Chase, Kroger, and others.
According to the press release from their website a “subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.” The breach was “limited to email addresses and/or customer names only.”
What does that mean to you?
Hopefully if your email was stolen as part of this you have received a notification letting you know. I’ve received three notices so far and I’ve read one report of a person who received six.
If you received a notice you need to be on the lookout for targeted or “spear” phishing attacks. Whoever stole the data has your email address and knows which company you gave it to. Spammers can target you with a specifically crafted message that looks like it comes from a company you do business with but try and fool you into giving up your login credentials or sending a message that contains a virus.
So what should you do?
Any email you get from companies, whether they were part of this data breach or not, make sure that any hyper links in the message point back to the actual company. You can typically see this by hovering over the link and looking at the bottom left corner of the browser and it will display the site address. For example, this link to www.google.com isn’t really going to take you to google. (You didn’t click on it did you…..) Phishers will get a lot more crafty then my simple example so you really need to be cautious.
If you receive an email requesting that you log in and verify your information, change your password, tells you your account has been compromised, or any other similar request asking for information, don’t believe it. Don’t follow any of the links in the email, go directly to the companies site as you normally would, either via bookmark or manually typing it in, and log in. If they want something from you chances are you will be prompted for it after you log in.
Don’t open any attachments that may accompany emails from companies. I don’t believe I’ve ever received an email with an attachment from a company that I wasn’t specifically expecting. Like purchasing tickets to an event and they send them in a .pdf file for printing. Any attachments should raise the red flag.
Other good practices include using different passwords for all your sites. I know, this can be a real pain, but if your email account gets hacked you don’t want the same password to provide access to your banking account. You also don’t want your email address to be easy to guess. How many times have you forgot your password to a site and the only information needed to reset it or get a temporary password was to enter you email address and the company sends you an email to complete the process. If I have access to your email account I could reset your password at lots of places before you know it.
While your at it for sites that allow it make sure you passwords contain special characters like * & # ! and don’t contain words found in the dictionary. This will make it more difficult for automated programs to guess your password. Additionally, passwords should be at least 8 characters long.
Lastly, make sure you are running some type of antivirus on your computer. I’m not real big on actually paying for software, I’m more of the free software kind of guy, but antivirus is the one thing I actually buy. Whatever product you choose make sure you keep it up to date. My AV updates at least once a day if not more frequently, that’s how fast they discover and block new viruses.