Details are still sketchy, but it seems that in late March, email marketing company Epsilon was hit by an attack that saw millions of names and email addresses stolen from their database.
They have released a statement which reads:
"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorised entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only.
While Epsilon are minimising the events, those familiar with phishing scams know that this is exactly the sort of information scammers need to produce highly targeted phishing scams that can lead to far more serious breaches down the track.
The situation is made all the more serious given that Epsilon's clients include many high-profile financial institutions, including JP Morgan Chase, Citibank and U.S. Bank.
"In the early phases, it's really hard to know who the perpetrators are and hackers are really good at covering their tracks,” said Kevin Rowney, director of breach response, Symantec.
"Currently e-mail addresses and names appear to be among the stolen data. Given this, consumers should be on the lookout for any new pattern of activity from a possibly suspicious source.
Epsilon is responsible for sending more than 40 billion marketing emails a year, and the fallout from the breach is expected to be severe.
Symantec is encouraging consumers to be vigilant and on the lookout for suspicious emails, and advises people to follow these best practices to avoid any phishing attacks triggered by this incident:
- Know the online policies of any provider you have an online account for. Banks, credit providers and other services will never ask you to confirm your personal details via an email.
- Make sure the URL of the site linked in the message corresponds to the name of the company that the message purports to be from.
- Check the message or email for spelling and grammar mistakes or other indications that it was not written by a professional. Such traits are hallmarks of phishing emails.
- Never click on a link within an email, IM or social networking site. Instead, re-type the address into your browser.
- Do not dial phone numbers included in the notification letters but rather visit the main website and get the customer service number there. Spam will often spoof these email notifications.