GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Getting a bead on mobile merchants


Industry Update

Latest interchange increases - waving a red flag?

And the breach goes on

Durbin Amendment regs delayed temporarily

Durbin Amendment draws opposition

Ingenico gaining slice of U.S. market


The experiences of an entrepreneur

Ken Musante
Eureka Payments LLC

Research Rundown

The future of mobile payments

Selling Prepaid

Prepaid in brief

The secret to selling gift card programs

Metabank's cautionary tale


ACH finds volume in consumer apps

Patti Murphy
The Takoma Group

What a bank core processor means to you

Brandes Elitch
CrossCheck Inc.

Circumvent cyber theft through education

Tony Griffith
Integration Specialist


Street SmartsSM:
Spring cleaning the ISO house

Bill Pirtle
MPCT Publishing Co.

Smart phones, dumb habits

Dale S. Laszig
Castles Technology Co. Ltd.

Memorable ISO legal catastrophes

Adam Atlas
Attorney at Law

Old fraud schemes resurfacing?

Nicholas Cucci
Network Merchants Inc.

Company Profile

MagTek Inc.

New Products

An RDC solution for the Apple Mac

RDC Select for Panini I:Deal

Drive compliance with a PCI dashboard

Panoptic Security Inc.


Pause before you walk the tradeshow floor


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

April 25, 2011  •  Issue 11:04:02

previous next

And the breach goes on

A slew of recent data breaches have security experts and government authorities scrambling to fix security loopholes and identify possible sources. In the most recent attack, Epsilon Data Management LLC, an online marketing unit of Alliance Data Systems Corp., reported customer data was exposed by an unauthorized entry into Epsilon's email system, affecting approximately 2 percent of its global client base of 2,500 companies.

Epsilon detected the breach on March 30, 2011, and notified clients that the information obtained was restricted to email addresses and customer names. Since the incident occurred, a growing number of companies affected by the breach have stepped forward. Citigroup Inc., HSN Inc., Kroger Co., Walgreen Co., and Walt Disney Co.'s travel subsidiary, Disney Destinations, are among the affected companies.

In a follow-up statement Alliance Data also confirmed that, "No personal identifiable information (PII) was compromised. PII includes such data as Social Security numbers, credit card numbers and account information. Epsilon is working with authorities and external experts to conduct a full investigation to identify those responsible for the incident while also implementing additional security protocols in its email operations."

Post-attack threats

According to Nicholas Percoco, Senior Vice President and head of Trustwave's Spiderlabs, once a breach occurs, culled data can be used in further attacks. "The attackers have that data," he said. "There is likely a lot of data here, probably 100 million names and email addresses, if you add up all these major vendors who were affected. The attackers right now have a mound of data they need to sift through and decide what their next steps are."

Percoco said follow-up attacks might include low-level phishing and spam attacks to gather additional information. "They can hone their attack even further by sending crafted emails to just the people they know who are customers of Merchant X or Card Issuer Y," he said. "That becomes even more targeted, something along the lines of what we call 'spear fishing,'" which involves attackers targeting specific consumer groups or high-profile names in government or corporations.

Anticipating increased email activity within the customer and client environment impacted by the breach, Epsilon President Bryan Kennedy stated, "We apologize for the inconvenience that this matter has caused and for the potential unsolicited emails that may occur as a result of this incident."

Percoco advised merchants to step up their fraud monitoring through third-party fraud alert systems that identify abnormal activity. And for those affected by the breach, he recommended communicating with customers to prevent furtherance of the attack. He suggested, for example, that merchants provide guidelines so customers know what kind of communication to expect from them; these could be simple statements such as, "We will not send you an email and ask you to click on a link to update your profile information or log into our site."

A persistent trend

Statistical data from the Privacy Rights Clearinghouse, a nonprofit consumer organization that reports data breaches and provides consumer education, suggest that data breaches will continue to persist as a trend. In 2010, a total of 595 breaches were reported by the PRC, with 12,313,609 records exposed.

In the first quarter of 2011, PRC reported that 144 breaches have exposed 4,953,195 records. As the Epsilon breach unfolds, the number of records exposed this year will likely surpass 2010's total. Further, Epsilon is not the first to have its email system breached. In February 2011, hackers extracted 60,000 business emails from HBGary's network, potentially exposing sensitive information about its customers. The Sacramento, Calif.-based security company provides continuous cyber-security protection for government agencies and Fortune 500 companies.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios