Firms warn customers against e-mail swindles

4/6/2011

NEW YORK TIMES

Security experts say millions of people are at increased risk of e-mail swindles after a giant security breach at an online marketing firm that was disclosed this week.

The breach exposed the names and e-mail addresses of customers of some of the nation's largest companies, including Kroger Co., JPMorgan Chase, and Target Co. Experts say that, based on the banks, retailers, and other businesses involved, the breach may be among the largest ever. It could lead to a surge in phishing attacks -- e-mails that purport to be from a legitimate business but are intended to steal information such as account numbers or passwords.

While e-mail addresses may not seem particularly vulnerable, experts say that if criminals can associate addresses with names and a business such as a bank, they can devise highly customized attacks to trick people into disclosing more confidential information, a technique known as "spear phishing."

In ordinary phishing attacks, criminals e-mail people with a message that appears to be from a bank or other business, hoping some recipients will be customers and follow instructions to, for example, "update account information."

A spear-phishing e-mail is more dangerous because it can include a person's name and is sent only to people known to be customers of a business, greatly increasing the likelihood the targets will be duped.

With the information stolen from Epsilon, which handles e-mail marketing lists for hundreds of clients, thieves could send JPMorgan Chase customers an e-mail that appeared to be from the bank, complete with their names, said Mark Seiden, an information security consultant in Silicon Valley. If the criminals cross-check a name with the property records of mortgage holders, they could include the customer's address in the e-mail, he said.

Among the companies that alerted customers or acknowledged being affected are Best Buy Co., Walt Disney, Marriott, Ritz-Carlton, L.L. Bean, and Walgreen Co.

"Your account and any other personally identifiable information were not at risk," clothing retailer New York & Co. told customers in an e-mail. "Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We also want to remind you that we will never ask you for your personal information in an e-mail."