The fallout from the Epsilon breach

ANALYSIS: The hack attack on Epsilon last week has caused tremors across the security industry, as big corporations saw their email lists go missing.

Some giants of the business world - including Marks & Spencer, Hilton and Citibank - were thought to have been affected.

At the minute, it appears as though only email addresses and names went missing. But whilst this kind of information may not seem important at first, it could be used in wider attacks.

So how serious was the Epsilon breach and what can we expect to see in the aftermath?

Does it matter?

You may think hackers can’t do much with just emails and names, and to some extent you’d be right. Spam may cause issues for bandwidth and email clogging, but often filtering systems protect users.

In fact, there is a theory going around the hackers didn’t even set out to acquire emails from Epsilon, but came across them by accident. This could indicate the cyber criminals weren’t doing anything particularly serious.

“Because e-mail addresses were not considered of great value in the criminal underground, I suspect the attack on Epsilon began as something random,” said Mary Landesman, market intelligence manager at Cisco.

“Hackers often scan the internet looking for machines that have a certain vulnerability or misconfiguration and then, once they hit upon something, look further to see if the victim interests them."

She added: "At this stage we can only speculate that this is what happened; the attackers had found themselves on Epsilon's system, realised what they had and then worked to acquire their customer lists.”

However, you can do more with emails and names than you might think. Such information can provide the building blocks for something much more serious.

In light of recent Advanced Persistent Threat (APT) attacks, people should be more concerned about targeted spear phishing attacks than spam.

By using the customer email, hackers could search for social network profiles.

From there, even more data can be acquired to garner what the target is interested in or where they work. Then, with a specially crafted email, the customer could be convinced to download a malicious file handing their control over to a hacker.

Such a process has been used in various attacks in recent times. RSA was one notable recent victim of a spear phishing attack.

“The illicitly extracted information from Epsilon, or from any
other company that stores and processes personal data, is very valuable, even though it may not seem much for the untrained eye,” Catalin Cosoi, head of online threats lab at BitDefender, told IT PRO.

What makes the Epsilon breach that bit more significant is the number of people who could have been hit.

“We are seeing these [emails] sent to Europeans as well as American citizens,” said Carl Leonard, senior manager for security research at Websense.

“Some reports are saying millions of people had their details on the lists that were stolen - that is a lot of people who are now more vulnerable to spam, social engineering attacks targeted to their email address, and of course the subscribers have also experienced a loss of privacy.”

The impact on Epsilon

Whatever happens to users, Epsilon will be deeply concerned about the impact of the breach on its own business.

You have to wonder if some of its numerous big-name customers – the firm has around 2,500 large companies as clients – have sent strongly worded-letters venting their fury at the breach.

“It's not just the reputation of Epsilon that has been negatively impacted but the reputation of the high profile global corporations who have now had to advise their customers that the data breach occurred,” Leonard noted.

Cosoi said it would take “some efforts to regain customers' trust,” but what if it emerges the breach was worse than first thought? Often, the true connotations of a compromise only become clear in the ensuing weeks and months.

So far, the firms involved have stated only emails and names were leaked.

“If later it becomes apparent that additional pieces of data were also extracted from their networks, this could further erode the trust that clients place in the business,” Leonard added.

Epsilon and its clients may also face investigations from regulators on both sides of the pond, including the Information Commissioner's Office (ICO) in the UK.

Of course, time could be a healer for Epsilon and if all keeps quiet for a while, the firm may recover without too much difficulty.

This article originally appeared at itpro.co.uk