Computer repair guys like me usually roll our eyes when some media pundit calls something “the biggest hack of all time.”
Seriously, how could it top getting free long-distance phone calls just by blowing a Cap’n Crunch cereal-box whistle into a pay phone (google “Cap’n Crunch pay phone”)? How about the Russian college grad who, in 1995, figured out how to transfer $10 million from Citibank’s coffers to his own (google “Vladimir Levin”)? Or, building a circuit box that lets you make free long-distance phone calls, using it to call the Pope, and then going on to co-found Apple Computer (google “Steve Wozniak”)?
Still, some security experts are calling one particular hack that was revealed this week, “One of the biggest breaches in U.S. history.”
Turns out that Internet marketing giant Epsilon (epsilon.com), admitted last Friday that their email systems had been hacked and the bad guys made off with the names and email addresses of gazillions of consumers.
“Ho-hum,” you say, “what makes that such a big deal?” Epsilon is a third-party email marketing provider. Big companies farm out their email chores to companies like Epsilon, freeing up in-house resources. Often times, if you receive an email from a company that you shop with, like Best Buy, that email didn’t really come directly from Best Buy; it was actually funneled through a company like Epsilon.
What makes the Epsilon screw-up such a big deal is that they handle email chores for just about everybody. Companies reporting email database thefts from Epsilon include TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network (HSN), Ameriprise Financial, LL Bean, Visa Card Lacoste, AbeBooks, Hilton Honors Program, Dillons, Fred Meyer, Beachbody, TD Ameritrade, Ethan Allen, Eileen Fisher, MoneyGram, TIAA-CREF, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, Robert Half, Target, QFC, bebe Stores, Ralphs, Fry’s, 1-800-Flowers, Red Roof Inn, King Soopers, Air Miles, and Eddie Bauer.
“A rigorous assessment determined that no other personal identifiable information associated with those names was at risk,” reps for Epsilon said. “A full investigation is currently underway.” Wow, sounds like a press release from Congress.
At least only names and email addresses have been stolen, or, so they say; that’s good. What that means, though, is that the world is going to see a flood of new, targeted-by-name spam email. Scammers now know who shops at what company, so they can send out official-looking fake emails addressing people by their actual names. This will, of course, entice many more people to divulge things like account logins and passwords than would have otherwise happened. In fact, in the days since the hack was revealed, signs of the new scam onslaught have already begun to appear.
I first learned of the hack when I received an email from Best Buy, warning me of what had happened. I’ve bought tons of computer stuff from Best Buy and they have my email address. Now, it seems that the bad guys have it, too.
Still, it was good of Barry Judge, Best Buy’s Executive Vice President & Chief Marketing Officer,
to let me know what was going on. After a bit of Google searching, I located Barry’s email address (his message did not include any email addresses or phone numbers) and decided to send him a reply.
“Hello Barry,” I wrote. “Thank you for the heads up about the email hack. As a long-time Best Buy customer and tech columnist for our local newspaper, The Norman Transcript, I would like to know how you intend to compensate me for my losses associated with this breach in your lax security measures.”
I wrote this email partly as an experiment and partly because I am weary of the constant cycle of hacks, attacks and thefts of personal information where nobody ever seems to get in trouble for their crummy computer security. Personal information is stolen and people get ripped off, yet the people responsible for security never seem to be fined, lose their jobs or even get yelled at.
I didn’t really expect a reply to my email but, lo and behold, I got a reply the same day; not from Mr. Judge, mind you (I imagine he’s been pretty busy, lately), but from Michael Bredemeier, Best Buy’s “Executive Resolution Specialist.” It read:
“Dear Mr. Moore,
“Like many well-known brands around the world, Best Buy utilizes industry leading marketing providers such as Epsilon to help enhance the experience of our loyalty program members. These companies use rigorous security measures in place to prevent a security breach from occurring.
“Unfortunately, those measures fell short in this specific situation. This is not acceptable to me or Best Buy.
“I share the concerns you have regarding your privacy, and understand that your confidence in Best Buy may have been undermined as a result of this event. We have an investigation of our own in progress and we are working rigorously in conjunction with the proper authorities. At this time, Best Buy is not providing any compensation for the hacking that effected several companies throughout the US and Canada. If further information becomes available we will share it as soon as we can.”
Mr. Bredemeier then directed me to a Best Buy/Geek Squad website that offered some very half-hearted advice about computer security.
I admire Best Buy for mustering up a reply, especially a personal reply that actually answered my very pointed question, and for admitting that their security measures “fell short.” I wonder, though, if anyone in charge of security at Epsilon, or any of the companies listed above, will ever be penalized for doing such a lousy job, or will it all be written off as an “acceptable loss” and business will continue as usual?