Extreme Disclosure? Not yet but a great trend!
There is a trend in vigilant disclosure by some companies and service providers. A reader wrote in with a great example of an email disclosure. U.S. Bank informed it's customers of a breach in a partners system. It went on to disclose that the partner system had been accessed by unauthorized users and that customer email addresses had been exposed.
What stuck out for myself and other handlers that commented, was the way the disclosure was handled. U.S. Bank then clearly identified it's information disclosure policy. They followed on to inform customers that at no time was financial data disclosed and that only Epsilon's systems had been accessed.
If you have had any disclosures from vendors please send them in to us. Packets are better but we take disclosures as well!
Below is the email that was relayed.
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Update
Thanks to all of those that sent in their notifications. On the list so far:
Best Buy, Home Depot, Chase, U.S. Bank, Robert Half, Disney Destinations, Citibank, Hilton Honors. No doubt there will be more to come.
-MH-
UPDATE 2
Epsilon in their press release mentions that only email addresses and names have been compromised for approximately 2 percent of their clients. A quick calculation shows that is at least 50 organisations (over 2500 clients). So a few more of you may be getting notifications.
Richard Porter
--- ISC Handler on Duty
Can be reached:
Twitter: packetalien
Email: richard at isc dot sans dot edu
Comments
I got three disclosures this weekend alone because of the Epsilon breach, the same company US Bank used. First it was SilverPop last December, then Epsilon last week and there are some rumblings that the TripAdvisor email address breach, which I also got, may have been from a third company that hasn't disclosed yet.
JJ
Apr 3rd 2011
1 decade ago
Barclay
Kroger
Brookstone.com
Walgreens
U.S. Bank
New York & Co.
JP Morgan Chase
McKinsey Quarterly
TiVo
Capital One
City Market
Fred Meyer
Fry's
Marriott Rewards
Ritz Carlton
Smith Brands
Citi
Home Shopping Network
Dillons
Jay C
Food 4 Less
King Snoopers
QFC
Ralphs
Ameriprise
Disney Destinations
AbeBooks
Mike T
Apr 4th 2011
1 decade ago
I'll forward it in.
BJ
Apr 4th 2011
1 decade ago
BJ
Apr 4th 2011
1 decade ago
patermann
Apr 4th 2011
1 decade ago
Scott H
Apr 4th 2011
1 decade ago
LEG-523 student
Apr 4th 2011
1 decade ago
WilliamL
Apr 4th 2011
1 decade ago
No they don't. that is the beauty of hashes. Like passwords, they can salt&hash your mailaddress, so they don't need to keep your info, but can still verify that you DO NOT want SPAM. Off course the spammers could do a bruteforce on it, but it would, at least, make their efforts more expensive and perhaps not worth it...
nqe
Apr 4th 2011
1 decade ago
Hashes are your friend. Use them whenever possible.
Brandioch Conner
Apr 4th 2011
1 decade ago