Plenty more (potential) phish in the C:\You might think it's a little late to blog here about the Epsilon factor, and, in fact, I don't intend to consider that beyond this point.
Not just because of the overblown media attention it has already received (been there, done that). Though that is why, contrary to my usual practice, I stopped maintaining my resource blog article on the topic after two days, since I'd stopped seeing any more useful material being published. (As opposed to: OMG! We're-all-going-to-be-spear-phished articles, that is.)
All I'm going to say about that now is this: While it's not good news if and when bad people get the names and email addresses of prospective victims, there are all too many ways for that sort of information to leak. The Epsilon breach was more significant if the perps were able to link the potential victim to a particular institution, thus enabling them to target more accurately, if they consider that worth the effort.
That's not a minor "if." It is not as though they're likely to save money by targeting more accurately, unlike legitimate marketers.
They were already able to enhance their social engineering slightly, since “Dear Mr. Harley, thank you for being a customer of Acme Banking” is a bit more convincing than “Dear email@example.com, thank you for being a customer of Acme Banking.” More so if I actually were a customer of Acme Banking, of course, but experience shows that people are strangely tolerant of the punt-gun approach to phish spamming. Perhaps it's analogous to being able to hear someone speak your name across the room at a noisy party: Phish that spoof institutions to which you don't have a connection don't hit your radar, but one that spoofs your bank does. But unless Epsilon has misled us on the type of data that was stolen, that's as far as it goes.
If anyone still wants advice on that, I'd simply suggest that they read Brian Krebs and Randy Abrams on identifying and dealing with generic phishing, and keep their shields raised, psychologically speaking.
The Lone Star state's mishap with employment and retirement records, however, is a different kettle of (potential) phish, and I'm more than a little surprised that it hasn't attracted more attention .
According to the few reports that have crossed my radar, sensitive records for nearly 3½ million people sat on a public server for nearly a year, unencrypted and apparently in defiance of Texas state law . And I do mean sensitive (in some cases, at least):
- Street addresses
- Social Security numbers
- Dates of birth
- Drivers' licence numbers
That's a long way towardsan identity theft goodies bag.
The exposed records include :
- 1.2 million practising or retired educators from the Teacher Retirement System of Texas database
- 2 million people listed in the Texas Workforce Commission system database
- 281,000 individuals in the Employees Retirement System of Texas database.
If one of those sounds like you, you might want to hotfoot it to the Texas Comptroller of Public Accounts “Texas Safeguard” web page, which has more information on the breach and comprehensive advice on what to do next, resource links and so on.