Anyone affected by the Epsilon data breach?

x509

2[H]4U
Joined
Sep 20, 2009
Messages
2,630
Wow that was bad.

What do you guys all think? Was this breach due to bad security at Epsilon or was it the result of an awesome exploit?
 

jtr8178

Limp Gawd
Joined
Jun 21, 2008
Messages
266
I got emails from several of my credit card companies, Best Buy, AmeriTrade, and a couple others I can't remember.

Someone out there must have some bad-ass hacking skills to get through a company like Epsilon.

Its odd - Every email was telling me how to protect my information. Funny, shouldn't they be the ones protecting my data if they are storing it?
 

munkle

[H]F Junkie
Joined
Jan 16, 2005
Messages
11,800
Yeah I started getting spam on my one email that I only use for purchases which did ever get spam before and got the emails about the breach too.
 

TechLarry

RIP [H] Brother - June 1, 2022
Joined
Aug 9, 2005
Messages
30,483
Not many will escape this one.

Epsilon should be fined over this. That's the only way it will ever stop.
 

munkle

[H]F Junkie
Joined
Jan 16, 2005
Messages
11,800
Not many will escape this one.

Epsilon should be fined over this. That's the only way it will ever stop.

Because fining the victim stops the problem? :confused: I guess that kind of makes sense if all the victims go to jail or out of business the criminals wont have anyone to exploit.
 

Bookmage

Gawd
Joined
Sep 2, 2004
Messages
673
I got several of the same emails... it feels like all companies just forwarded the same email from epsilon about how to protect their data...
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
This shows how today's browsers are very insecure, and there needs to be a move AWAY from flash and all that junk. It should not be possible to just go to a link and immediately get code execute on your machine. It sounds like this is what happened in this case with that email that was sent.
 

Thuleman

Supreme [H]ardness
Joined
Apr 13, 2004
Messages
5,833
Because fining the victim stops the problem? :confused: I guess that kind of makes sense if all the victims go to jail or out of business the criminals wont have anyone to exploit.

When the victim is negligent then it does at least send a message to other potential victims to get their shit together. Leave your stuff unpatched, get hacked, that's really not news or a novel concept.
 

munkle

[H]F Junkie
Joined
Jan 16, 2005
Messages
11,800
When the victim is negligent then it does at least send a message to other potential victims to get their shit together. Leave your stuff unpatched, get hacked, that's really not news or a novel concept.

I would say the getting hacked part sends the message to others to fix their stuff. A fine doesn't really do anything except give the government money (which is why they will probably get a fine). I would say they only deserve a fine if it was serious negligence like they were informed what very specifically to fix and where and didn't do it because they didn't want too. I don't think a dumb employee clicking a dumb link would count for me personally if that's how they got junk on their system. Maybe fire the employee for being dumb but fining the entire company I think is a little much.
 

C7J0yc3

[H]ard|Gawd
Joined
Dec 27, 2009
Messages
1,353
Just about every organization except paypal that I have money or credit with sent me an email today about it.

I personally am completely for fining the victom here. Doing security for places when they are about to get audited for PCI compliance (or just about any other standard) it is all about being "good nuff" for the auditor and not too much more. Doing things right costs money, however doing things wrong costs even more money (which for some reason upper management can't understand). If Epsilon gets a hefty fine + whatever it is going to cost for a security firm to come mop up the mess it will serve as a warning to other big players that they need to get their shit together thus making the end user safer.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
Because fining the victim stops the problem? :confused: I guess that kind of makes sense if all the victims go to jail or out of business the criminals wont have anyone to exploit.

Except they aren't the victim, we are. It's our info that got stolen.
 

Farva

Extremely [H]
Joined
Feb 3, 2004
Messages
38,155
I've been getting emails from the affected companies, been seeing more spam than usual, and one of my credit cards had a bunch of fraudulent charges (was caught).
 

ChrisBenn

Limp Gawd
Joined
Feb 21, 2011
Messages
440
Because fining the victim stops the problem? :confused: I guess that kind of makes sense if all the victims go to jail or out of business the criminals wont have anyone to exploit.

So you deposit your money in a bank. The bank has a security audit and it says "hey, you have a problem, your night watchman leaves the vault open when he takes a piss". They ignore it for 4 months, at which point someone steals all your money while the night watchman is taking a piss...

While technically, yes, the bank is still a victim, they also caused harm by failing to do their job (properly secure what they were contracted to secure).
 

x509

2[H]4U
Joined
Sep 20, 2009
Messages
2,630
I've been getting emails from the affected companies, been seeing more spam than usual, and one of my credit cards had a bunch of fraudulent charges (was caught).

Me too. I'm the OP on this thread. Last Saturday, the first day of this attack, someone tried to do a very large cash advance on my credit card. The bank refused, of course, ;) and now I'm the owner of a shiny NEW credit card.:D OK, so the system worked, but what if the thieves weren't so greedy? I could have been SOL for who knows how much money and a bunch of fraudulent charges. :mad:
 

munkle

[H]F Junkie
Joined
Jan 16, 2005
Messages
11,800
Except they aren't the victim, we are. It's our info that got stolen.
There can be more than one victim to a crime you know.
So you deposit your money in a bank. The bank has a security audit and it says "hey, you have a problem, your night watchman leaves the vault open when he takes a piss". They ignore it for 4 months, at which point someone steals all your money while the night watchman is taking a piss...

While technically, yes, the bank is still a victim, they also caused harm by failing to do their job (properly secure what they were contracted to secure).

Money is alot different than ones email and first name.
 

InvisiBill

2[H]4U
Joined
Jan 2, 2003
Messages
2,608
I haven't really noticed any increase in spam or phishing emails, but my SpamAssassin works wonders. I actually allow some lower-rated spam through, so that I can report the source.

I've been getting emails from the affected companies, been seeing more spam than usual, and one of my credit cards had a bunch of fraudulent charges (was caught).
Me too. I'm the OP on this thread. Last Saturday, the first day of this attack, someone tried to do a very large cash advance on my credit card. The bank refused, of course, ;) and now I'm the owner of a shiny NEW credit card.:D OK, so the system worked, but what if the thieves weren't so greedy? I could have been SOL for who knows how much money and a bunch of fraudulent charges. :mad:

In every example I've seen, only names and email addresses were taken (as munkle mentioned). It was an email marketing company that was breached, not the banks/stores/etc. themselves. If there were fraudulent charges due to this, then your bank is giving TONS of information (like CC numbers) to people who have nothing close to a need for the info (like random email marketing companies), and you should run away from them as fast as possible. If your fraud issues were actually due to this, then that same company would probably have your new number too, so you're no better off with that shiny new card.

In other words, it's a coincidence.
 

cymon

Limp Gawd
Joined
Apr 16, 2009
Messages
453
Fining companies is how regulatory compliance works. Is it going to help much? Probably not. I can only imagine they'll try and set the fine so that it's cheaper to secure their stuff than to pay the fines.

Of course, this assumes that the regulatory agencies have an idea of what the hell is going on - trying to regulate IT is insane. Regulating industry is easier - air and water emissions can be sampled to determine concentrations of pollutants, filtration systems can be installed.
 

x509

2[H]4U
Joined
Sep 20, 2009
Messages
2,630
Fining companies is how regulatory compliance works. Is it going to help much? Probably not. I can only imagine they'll try and set the fine so that it's cheaper to secure their stuff than to pay the fines.

Of course, this assumes that the regulatory agencies have an idea of what the hell is going on - trying to regulate IT is insane. Regulating industry is easier - air and water emissions can be sampled to determine concentrations of pollutants, filtration systems can be installed.

There is also the problem of jurisdiction. Say a company based in France or Germany does business in the US, but doesn't have a physical presence in the US. How can the US Government possibly enforce a fine against this company? Or make that a US-based company and it's the EU that's imposing the fine.

Dunno.
 

Matt Welke

Limp Gawd
Joined
Mar 17, 2004
Messages
354
Add me to the list of those who had fraudulent charges. I never even made the connection to this event! I got the email from Citi Mastercard a few weeks after there were 3 or 4 fraudulent charges from the UK on my card (I'm Canadian, and rarely travel, thank you very much :p).

I have two active credit cards right now, one is the Citi Mastercard in question, the other is an RBC Visa. The RBC card was not affected. I think maybe this has to do with American vs. Canadian regulatory stuff. We tend to be much more stringent about security and things in general in our banking industry. I think I'll move more towards Canadian cards in the future... My faith in Citi is a bit shaken.
 

adam30k

Gawd
Joined
Aug 18, 2002
Messages
710
Add me to the list of those who had fraudulent charges. I never even made the connection to this event! I got the email from Citi Mastercard a few weeks after there were 3 or 4 fraudulent charges from the UK on my card (I'm Canadian, and rarely travel, thank you very much :p).

I have two active credit cards right now, one is the Citi Mastercard in question, the other is an RBC Visa. The RBC card was not affected. I think maybe this has to do with American vs. Canadian regulatory stuff. We tend to be much more stringent about security and things in general in our banking industry. I think I'll move more towards Canadian cards in the future... My faith in Citi is a bit shaken.

This breach has to do with email addresses not credit card accounts. someone could try to brute force your password on your Citi website account because they have your email address and know you have a Citi account but I'm not sure they could get your credit card number off of the information there.
 

Farva

Extremely [H]
Joined
Feb 3, 2004
Messages
38,155
In every example I've seen, only names and email addresses were taken (as munkle mentioned). It was an email marketing company that was breached, not the banks/stores/etc. themselves. If there were fraudulent charges due to this, then your bank is giving TONS of information (like CC numbers) to people who have nothing close to a need for the info (like random email marketing companies), and you should run away from them as fast as possible. If your fraud issues were actually due to this, then that same company would probably have your new number too, so you're no better off with that shiny new card.

In other words, it's a coincidence.

This breach has to do with email addresses not credit card accounts. someone could try to brute force your password on your Citi website account because they have your email address and know you have a Citi account but I'm not sure they could get your credit card number off of the information there.

So I guess they didn't get any card info right? This is the only one that admitted to it, where five or so other places that have been compromised only said emails and names were found out.

We previously attempted to alert our customers whose credit card account information could possibly have been compromised. Although we were only acting under suspicions of fraud at that time, customer responses to our alert seem to confirm our concerns.

We do sincerely hope our initial email alert either prevented fraud from occurring on your card, or allowed you to contact your credit card issuing bank to immediately stop additional incidents of fraud. Either way, please be advised that any fraudulent charges you may discover will be considered unauthorized when reported to your card issuing bank. You should not be responsible for paying any unauthorized charges or associated fees.

Although it is unfortunately not uncommon to hear of a breach in security of confidential customer information - it was a very unpleasant situation to learn that some of your own customer files may have been compromised. Fortunately, we have been assured that only a small percentage of the customers we have on file were exposed to having their credit card data compromised. We are now reaching out once again to make each of you aware of this situation. We are asking everyone receiving this email to check your recent account activity on each and every credit card(s) you may have used to make a purchase with us. It is highly recommended (whether you actually see evidence of fraudulent transaction or not) that you request your card issuing bank to immediately deactivate the card(s) and have them issue you a new card(s).

If you discover that your card has been used fraudulently, IMMEDIATELY CONTACT THE COMPANY WHICH ISSUED THE CARD (Visa, MasterCard, Discover, Amex, etc)- and report the fraudulent charge. Give the card company the last charge transaction which you made or authorized, and ask to have the account closed, and to have the card re-issued under another number. The issuing card company should confirm that the possibly compromised card account number has been stopped, and that a new card is being sent to you. Please Note - if you have a vendor /service provider which has legitimately been debiting your card on a monthly basis, you will need to contact that source and give them the new card number as soon as you receive that information.

As an outspoken advocate of our constitutional rights, we are appalled by this invasion of our data and your personal information. Those responsible for this crime (and it is a criminal offense) have, in some cases, used the information obtained unlawfully to make fraudulent purchases. Having to accept that this fraud has occurred against us and our customers is the single worst incident in our company's history, a history we are otherwise very proud of.

We can now confidently assure you that previous security issue has been resolved. Also, the recent events obviously caused us to focus our full attention and all available resources on preventing a future occurrence. Among the actions already taken and/or currently in progress are:

1. A third party forensics analysis to better understand the cause and circumstances behind the unauthorized access to our data.

2. Upgraded firewall which is capable of real time analysis of all network traffic. Suspicious activity will automatically be blocked and our IT security staff immediately notified.

3. Future security and data storage practices will be audited to ensure PCI compliance.

4. Installation of additional and multiple active and passive scanning and monitoring security software applications. We have been advised to withhold specifics of this software for security reasons.

5. Stringent password and IP based access restrictions for all systems which contain budsgunshop.com

customer information.

All of the security provisions above will soon be working in compliment of one another to protect our data, and your personal information. However, the single most comforting change which absolutely prevents your credit card information from being compromised from our website was actually accomplished earlier this week. Before we even turned the credit card payment option back on Tuesday, we had reworked our checkout process to send your information direct to our secure third party processor and immediately clear our system. The reason we are so confident that your credit card information will never be compromised on our website ?....simple, we don't have it !

As an unfortunate result of increasing our security, some customers may experience inconvenience going forward by having to provide us with their credit card information for each new debit/credit of their account. For example, we will no longer be able to add, or make changes, to existing orders and charge the difference to the credit card used when placing the original order...as we will no longer have that information on file.

This has been an extremely trying time for us and also many of our loyal customers. We sincerely appreciate the emails and phone calls from concerned customers, many of which were very helpful in tracking down this fraud. It is unfortunate, but understandable, that some people quickly jumped to assumptions and conclusions which were not at all favorable towards us. Because of this, we are aware of the many false and misleading statements currently being spread over the internet.

If you have any questions or concerns - please email those to alerts@budsgunshop.com and we will reply as quickly as we possibly can. We are creating a dedicated help link on our website with frequently asked questions and answers on this serious issue. A toll free number will also be made available this week to any customers affected by issues of fraud. Each call will be directed to a message including helpful information as well as the option to request a return call.

I cannot begin to express how badly our entire staff feels to disappoint those of you who placed your confidence in us. Please accept my personal apology for any inconvenience that this cowardly and criminal act may have caused you.


Marion "Bud" Wells, Jr.
President

Budsgunshop.com, LLC
 

Mackenzie

n00b
Joined
Apr 10, 2011
Messages
9
Everyone on the College Board website was affected. Apparently everyone registered lost their privacy of email and name.
 

x509

2[H]4U
Joined
Sep 20, 2009
Messages
2,630
This breach has to do with email addresses not credit card accounts. someone could try to brute force your password on your Citi website account because they have your email address and know you have a Citi account but I'm not sure they could get your credit card number off of the information there.

Strictly speaking, yes. However, what if the malware planted on the Epsilon site was designed to attack the systems of Epsilon clients? What is such exploits worked in a few cases? Then there is a potential backdoor to who-knows-which banks, hotel chains, retailers, etc. Remember TJMaxx?
 

InvisiBill

2[H]4U
Joined
Jan 2, 2003
Messages
2,608
Add me to the list of those who had fraudulent charges. I never even made the connection to this event! I got the email from Citi Mastercard a few weeks after there were 3 or 4 fraudulent charges from the UK on my card (I'm Canadian, and rarely travel, thank you very much :p).

I have two active credit cards right now, one is the Citi Mastercard in question, the other is an RBC Visa. The RBC card was not affected. I think maybe this has to do with American vs. Canadian regulatory stuff. We tend to be much more stringent about security and things in general in our banking industry. I think I'll move more towards Canadian cards in the future... My faith in Citi is a bit shaken.

A few weeks ago, the data breach hadn't happened yet. No credit card numbers were involved in the Epsilon incident, only names and email addresses.


So I guess they didn't get any card info right? This is the only one that admitted to it, where five or so other places that have been compromised only said emails and names were found out.

Was budsgunshop.com a client of Epsilon? The stuff you quoted makes it sound like their own systems were compromised. None of the fixes they listed are even really related to what happened with the Epsilon breach. Other than this thread, I found one other forum post where someone (whose post didn't imply that they even had any understanding of the situation) mentioned Epsilon along with Buds. It sounds completely unrelated to the Epsilon stuff, just coincidentally at the same time.
 

InvisiBill

2[H]4U
Joined
Jan 2, 2003
Messages
2,608
Strictly speaking, yes. However, what if the malware planted on the Epsilon site was designed to attack the systems of Epsilon clients? What is such exploits worked in a few cases? Then there is a potential backdoor to who-knows-which banks, hotel chains, retailers, etc. Remember TJMaxx?

What "malware planted on the Epsilon site" are you referring to? I've seen no mention anywhere of any website malware being involved in this. Things could change as the investigation proceeds, but the press release states that only names and emails were exposed. There's no mention of malware or attacking their clients.

The TJX guys simply got direct access to the companies' networks (through unsecured wireless and such) and installed sniffers to capture credit card info. That's a lot different from hacking into a company to install malware on their websites in an attempt to infect clients' systems and get sensitive information from them.
 

Matt Welke

Limp Gawd
Joined
Mar 17, 2004
Messages
354
There's obviously a link here. I'm not the only one to have also reported fraudulent charges on my card coinciding with this data breach. I'm OCD with my finances, keeping my number extremely private and safe. I've had credit cards for 3 years now and just now had this happen. This can't just be a coincidence.
 

adam30k

Gawd
Joined
Aug 18, 2002
Messages
710
Epsilon handles email marketing for companies. There's very little likelihood that they would have more then names and email addresses in their databases and that their systems would have any way connection or link to client systems especially those that would contain confidential information.
 

Farva

Extremely [H]
Joined
Feb 3, 2004
Messages
38,155
Was budsgunshop.com a client of Epsilon? The stuff you quoted makes it sound like their own systems were compromised. None of the fixes they listed are even really related to what happened with the Epsilon breach. Other than this thread, I found one other forum post where someone (whose post didn't imply that they even had any understanding of the situation) mentioned Epsilon along with Buds. It sounds completely unrelated to the Epsilon stuff, just coincidentally at the same time.

I believe they are. I deleted their first message on this, so I am not able to verify it. :(
 
Top