If you get any emails from your checking or savings account provider during the next couple of weeks, watch out. You may be the target of a potential wave of "phishing" attacks due to a massive data breach at email communications provider Epsilon (from CNET).
The breach, which took place last week but was announced over the weekend, compromised the email addresses and some names belonging to the customers of many major U.S. companies that outsource their marketing and email communications to Epsilon.
The company said Monday that 2 percent of the companies it counts as clients are affected by the security breach. There is no official list of affected companies that's available, and a company spokesperson said Epsilon cannot release the names of its clients. Epsilon is in the midst of conducting an investigation of what led to the security breach.
The list of Epsilon clients whose customer email addresses were stolen is not complete, and it's likely to grow. But so far Target, Kroger, TiVo, U.S. Bank, JPMorgan Chase, Capital One, Citibank, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, and Best Buy have notified their own customers about the breach. Hilton Hotels and Ethan Allen are also said to be affected.
The takeaway here is that, while no credit card numbers or account numbers appear to have been compromised, bank account holders at U.S. Bank, JPMorgan Chase, Capital One and Citibank should be extra careful about responding to any emails about their accounts in the next few weeks. It's likely whoever stole the email addresses will try to use them for phishing, or obtaining sensitive information by pretending to be someone else, such as your bank or credit card company.
In other words, account holders should keep being critical, vigilant consumers who don't open suspicious emails, don't send sensitive information over email, keep an eye on their account balances and monitor their credit reports by ordering a free copy every four months.
But I think one of the biggest fallacies floating around about identity theft is that individuals have the most control over preventing it. If they would just sign up for some sort of identity theft prevention service or shred all their credit card offers before throwing them away, the thinking goes, they will be safe. Then a big data breach happens like this that illustrates individuals are probably much better custodians of their information than many of the professionals charged with keeping it safe.
It seems to me banks need to tighten up a little bit if they want to keep doing more communication with customers over email to save money on postage, paper, etc. I think over time, customers will keep an eye on which banks can keep their data secure and which ones can't, and vote with their feet. Because ultimately, all the consumer vigilance in the world won't protect their identities if banks and their contractors don't do a better job keeping critical information secure.