Epsilon Risks Downplayed

The theft of names and email addresses from Epsilon has reached across the Atlantic. Last week I received notification from two UK companies, one of which is a household and high street name, Marks and Spencer, the other is Crucial UK, who will be familiar to almost anyone who has bought computer memory. I’ve included the content from both of the organisations.

Marks and Spencer
We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.
We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk.
We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result. We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Crucial UK
On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.
We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

I think both of these responses are poor. For one, it’s fairly clear that they’re variations on a pre-prepared statement, probably from Epsilon.

Second, they seem to think that spam email is the worst thing that is likely to happen, without really emphasising that the spam email is likely to be targetted directly at the individual and purport to come from the company (spearphishing in the parlance). Most phishing email is pretty poor, but occasionally you get the odd one that is convincing. Knowing that someone uses a particular website is gold and makes it worth putting together a good phishing email and complementary website.

Finally, hacking an account at either of these sites has become much easier. Both M&S and Crucial use the email address as the login name – knowing that you have a valid login name is half the battle when trying to break in. Let’s face it, time and time again, surveys show that passwords are often easily guessed.

M&S and Crucial, here’s what I want you to do.

i) Delete all credit card information from any affected account or reassure us that you don’t hold that information.

ii) Create a secondary security feature on all affected accounts that uses information that wasn’t disclosed, e.g. post code from postal address. This will become part of the login process.

iii) Monitor logins for suspicious activity, particularly ones that fail the new security feature.

iv) Recommend that people ensure that they have strong passwords on their accounts and give guidance on what a strong password is.

v) Sack Epsilon as your email distribution provider.

What do you think? Has the response from the companies affected been satisfactory? Let me know.