Information is the new gold. Information about you is being collected and collated and, unfortunately, shared with companies and organizations without your knowledge, permission, or consent. The companies who collect this information are companies you do business with and trust. Companies like Best Buy, Target, Disney, Verizon, Capital One, Chase, MasterCard, Visa, Kroger, and many others.
Recently, it became known that over 2500 companies, those mentioned above and others, had sold or given some of the information they had about you to a company you probably never heard of before. The company is called Epsilon. Epsilon is a company who does email marketing for thousands of companies including retail stores, restaurants, hotels, cell phone providers, entertainment companies, banks, and credit card companies. There’s a good chance if you do business with any major retail store, bank, restaurant, cell company, hotel, etc. and you regularly do business with them off or online – and you have given them an email address, they have a file with your name on it. And in that file with your name on it is information about you – your name, your email address, and products or services you have purchased. While you may have thought you were giving this information only to, let’s say Target, Target was giving your information to Epsilon so that Epsilon could send you emails that appeared to come from Target.
In most other cases, someone who sent you email pretending to be someone else, would be spam or illegal, but Epsilon’s business is email marketing – not spam. Companies like Verizon, Kroger, Capital One, etc. pay Epsilon to send emails on their behalf. The line between email marketing and spam is thin. In this case the stores, banks, restaurants, service providers, etc. paid Epsilon to provide email marketing services for them. In order to provide that service, the companies had to turn over a customer database containing names and email addresses and marketing information (what products and services you use, how much you spend per purchase, possibly your age and income, and other general information) to Epsilon so they could send you emails which appeared to come from the companies you do business with. So when you got that email from Best Buy, or Verizon, or Capital One, or Disney – or any of 2500 other big companies on Epsilon’s client list, it really came from Epsilon – and not Best Buy, Verizon, etc.
You didn’t know that and you probably would have never known it had it not been for the fact that Epsilon’s database was breeched by a “hacker” and all that information was stolen. No one knows for sure where the hacker or hackers are located – no one even knows for sure that it wasn’t an inside job. No one knows much of anything yet except Epsilon’s database was stolen and in that database there probably was a file on you and me. There were tens of millions of names and email addresses stolen. Each email address and name may have had some the other information attached to it – what you purchased most often, how much you spent, your preferences – basically information about what kind of customer you are, your preferences, and your buying history. But none of the information in the files that were stolen contained any highly sensitive information (credit card numbers, home addresses, social security numbers, cell phone or house phone numbers) at least as far as anyone knows.
It is highly probable that no sensitive information was stolen. But the information that was stolen is still highly valuable. It was valuable to the companies you do business with, it was valuable to Epsilon, and now it’s valuable to the criminal or criminals who stole it. It’s valuable to criminals who stole it because now rather than operating a random spam operation where tens of millions of emails were sent hoping to make a few hundred sales or attempting to infect a few tens of thousands of computers, the criminals now have enough information to conduct realistic-looking email marketing targeted to your preferences and your buying patterns. Now the criminals know you like pepperoni & onions on your Domino’s pizza, they know you have a credit card with Capital One, they know you’ve been to Disney World and you like to stay at several Disney properties. They know you how often you shop at Kroger. The know what you like when you shop at Target. They know you have a Verizon Droid cell phone and that you recently bought a Bluetooth headset. The criminals know as much or as little as the companies you do business with – and as much or as little as Epsilon knows. And they will address the email to you – like “Dear Charlotte Billings” – not “Dear Valued Customer”.
So now you have two kinds of spam you have to be watching for – the kind you’ve come to know and hate; and the kind that looks just like the emails you normally receive from companies you do business with. And you’re going to have to be very careful in the future that you don’t make a careless mistake and give up any sensitive information to the criminals – and that you don’t download any malicious software (bots, Trojans, spyware, or expensive but useless software) on your computer.
The basic Email safety rules apply – but now you have to be even more vigilant.
One thing for sure, if it came from the criminals and you click links in that email it’s going to lead to some bad things – Trojans, bots, or other nasty software which could be installed on your computer – or you may be tricked into giving up your credit card number, social security number, home address or cell phone number to the criminals.
It’s very important that you take every possible step to protect yourself:
1. Change your email address with the companies you do business with. You can do this without creating new email accounts. Use Gmail’s PLUS email addressing. If you don’t have a Gmail account, create one.
Briefly, if you receive updates from any of the companies who used Epsilon at your email@example.com – here’s what you need to do.
Go to the company (let’s say Verizon) and change your email address to firstname.lastname@example.org . You don’t need to create a new Gmail address, use Gmail’s PLUS feature. Then, create a rule in Gmail that all mail from Verizon Wireless to email@example.com be sent to the spam folder. You just rendered the address the criminals stole useless.
If you do this with all your accounts – firstname.lastname@example.org , email@example.com – any emails you get to those addresses will be valid because they’re all “new” – and any that come to the old email address (which was stolen from the companies involved) will be sent to your spam folder. And you can do all this without even creating a single new email address. We will cover how to
2. Now would be an excellent time to change your passwords – or all your accounts. Never use the same password for more than one account. Don’t use simple passwords. Use strong passwords (12 characters, numbers, symbols). Create a random password using a password generator like the one that comes with LastPass. And use a password manager like LastPass to remember those passwords for you – and to automatically fill forms on sites you need to log into. LastPass is free – so there’s no reason for you not to be using a good password manager. Get LastPass from http://www.lastpass.com/ .
3. Use good security software and keep it updated. Emsisoft protects you from malware, ransomware, PUPs and other threats better than any other software we’ve tested. Read more about Emsisoft here.
4. Don’t click links in emails which ask for sensitive personal information, password changes, or credit card information. If you need to check an account or change a password, type in the URL in your address bar – and always – ALWAYS — make sure the URL begins with https:// and not http:// – any time you are dealing with sensitive information like credit card numbers, social security numbers, bank account numbers, etc. This applies to all emails – legitimate companies NEVER ask you to click a link in an email to verify your personal information or change a password. NEVER.
5. Use your head. Don’t panic and don’t listen to those who try to scare you into buying things like Lifelock or some other program guaranteed to protect your identity. Don’t waste your money. Use your common sense – it’s the best software protection you can’t buy.
It is almost a certainty that you will be bombarded with spam in the coming weeks — and you’ll continue to be bombarded until you get those email addresses changed. You will also be seeing a lot of ads and tech articles about security programs and firewalls. Everyone will be out to get your money; everyone will be making wild promises about how well they can protect you and your identity. There’s only one thing in the world that can protect your identity, 100% of the time – your own common sense and your knowledge. Don’t panic. And don’t believe those people who try to scare you into action – they’re only scaring you so they can profit from this unfortunate incident.
We all live in the age of information; we all live in the age where information has become highly valuable. Information is the new gold and until the companies who store and maintain legitimate databases of information is guarded like Fort Knox, more incidents like the Epsilon incident are going to happen. It’s nearly impossible to shop or buy anything – online or offline – anymore without information being collected. We all have had to trade a little privacy for a lot of convenience. The secret is knowing how to contain the potential damage and to reduce the potential risks. The Epsilon incident just highlights the fact that your information is being bartered and shared between companies without your knowledge or consent. We’d never heard of Epsilon before the week and you probably hadn’t either. There are, no doubt, other companies out there performing the same “services” as Epsilon. We don’t know who they are and you probably don’t either.
What really matters now is that you know how to react to this situation. You need to be aware and concerned – but you don’t need to be afraid and you don’t need to panic. This latest theft of email addresses, names, and information is serious, but it’s not the end of the world; your identity is still safe. We’re trying and will always try to help you keep it that way.