14 DAY TRIAL // The recent data breach at email marketing provider Epsilon, that led to the exposure of millions of email addresses, might have been the result of a targeted attack the company knew about.
On November 24 last year, Return Path, a company specializing in email reputation and monitoring, alerted their partners that Email Service Providers (ESPs) are being targeted in a spear phishing attack.
The attack consisted of rogue emails sent to ESP posing as messages from friends or colleagues.
The emails addressed recipients and their employers by name and contained a link, allegedly to wedding photographs.
The link led to a page distributing malware that was capable of disabling antivirus software, stealing passwords and opening a backdoor on infected systems.
"This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems. Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable," wrote Return Path's senior director of security strategy, Neil Schwartzman, at the time.
Three weeks later, Silverpop Systems, an email marketing provider used by many large companies, announced the leak of customer email lists. The breach affected Walgreens, McDonald's, deviantART, Honda Motors, Play.com and an estimated 100 other companies.
According to Epsilon's website, the company has a strategic partnership with Return Path which involves using its technology, therefore, it most likely received the spear phishing alert back in November.
iTnews reports that Epsilon subsequently installed systems to monitor network traffic for unusual activity and it was those systems that alerted its administrators on March 30 that something is going on.
"We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers.[...] We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers' confidence," said Epsilon President Bryan J. Kennedy.