By Ondrej Krehel, Identity Theft 911
Email addresses and names exposed in the Epsilon breach can reveal more about consumers than we thought, especially when they’re connected to the world’s largest drug maker.
GlaxoSmithKline said the breach affected consumers who were registered on its websites for prescription and nonprescription drugs and products. Glaxo used Epsilon to handle its email marketing campaigns. When hackers broke into Epsilon’s database earlier this month, they stole subscriber lists for more than 100 companies, including financial institutions and retailers.
Interested in antidepressants? Cancer treatments? HIV drugs? Now the hackers may know that, too. And the way current laws are structured victims can’t expect any direct financial compensation for what amounts to medical information breach. (Can we call this a HIPPA light violation?)
But that could change. Senators Kerry and McCain are pushing for a new commercial privacy bill of rights that would require companies to keep consumer data, such as emails and names, secure in an encrypted format. The bill would also require “managerial accountability” and implement processes for responding to nonfrivolous consumer inquiries.
In California, a federal judge has set an uncommon legal precedent that could help the cause by allowing a lawsuit against social media game developer RockYou to move forward. The judge said that the email addresses exposed in RockYou’s 2009 data breach have “some ascertainable but unidentified value.”
Meanwhile, cybercriminals created a fake website to prey on Epsilon data breach victims. The phony site, first reported by security firm Websense, offers a downloadable “Epsilon Secure Connect Tool” that claims to tell consumers if their information was stolen. Downloading and executing the program installs a Trojan horse onto consumers’ PCs and ultimately steals more information.
As always, think twice when doing anything online, whether it’s downloading a new program or submitting your email address to a website, even a legitimate one. Our email address is becoming something like a digital Social Security number. Email is a unique digital identifier—no two addresses are alike—and very real connections are now being drawn between that email identifier and the real world.
Related: The Epsilon Breach: Don’t Take the Bait with Phishing Scams
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.
