Hit By the Epsilon Security Breach? Here's How to Protect Your Personal Information

If you're a customer of Best Buy (BBY), Citigroup (C), or any one of the 2,200 global brands that relies on email marketing giant Epsilon, you may have received a rather alarming notice over the weekend. Epsilon has reported a security breach that may have compromised your email address and name.

While it may at first sound like the identity thieves walked away with very little, the potential for damage can be great, say security experts. For example, armed with your name, email address, and the name of a company with whom you do business, identity thieves can send an authentic-looking but bogus Best Buy email asking you to supply your credit card information or other personal information. This can later be used to pilfer your financial accounts.

Sponsored Links

Security experts note, however, that consumers can take a number of actions to safeguard their personal information in the wake of the Epsilon hack attack.

"Most likely this information will be used for phishing attacks. If they know the email list you subscribe to, it's more likely they can write a convincing email to deceive you," says Thomas Kristensen, chief technology officer for security software firm Secunia.

First and foremost, when receiving an unsolicited email, do not immediately click on the link or open the attachment contained in the email. The link can take you to a nefarious website, which can infect your computer. Or the attachment may download software that will track your computer keystrokes -- including the passwords you type.

What You Can Do

Here are some steps consumers can take when receiving an unsolicited email, according to Kristensen:

  • Open a new browser and visit the website that supposedly sent the email; check to see if it's promoting the same offer that has been sent to you unsolicited;

  • Mouse over the link contained in the email and look at the lower left corner of the screen to see if the domain name matches the company that is purportedly sending the email;

  • If you must click on the link, once it's open it should still show the same domain name. If it doesn't -- and it asks you for financial information like a bank account number or social security number, do not provide the information. If the opened link now has a different domain name, although it's not requesting financial information, the identity thief may have opted to infect your computer with a virus instead.

  • Best advice of all is to avoid clicking on links or opening attachments placed in unsolicited emails.

  • And, finally, keep your security software updated.

Best Buy and McKinsey Quarterly, two Epsilon clients that were affected by the email security breach, issued their own warnings to customers. Best Buy says in its email:

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our
customers, that files containing the email addresses of some Best Buy customers
were accessed without authorization.

We have been assured by Epsilon that the only information that may have been
obtained was your email address and that the accessed files did not include any
other information. A rigorous assessment by Epsilon determined that no other
information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We
ask that you remain alert to any unusual or suspicious emails. As our experts at
Geek Squad would tell you, be very cautious when opening links or attachments
from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to
provide or confirm any information, including credit card numbers, unless you
are on our secure e-commerce site, www.bestbuy.com. If you receive an email
asking for personal information, delete it. It did not come from Best Buy.

And McKinsey Quarterly told its clients:

We have been informed by our e-mail service provider, Epsilon, that your e-mail
address was exposed by unauthorized entry into their system. Epsilon sends
e-mails on our behalf to McKinsey Quarterly users who have opted to receive
e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was
your first name, last name and e-mail address and that the files that were
accessed did not include any other information. We are actively working to
confirm this. We do not store any credit card numbers, social security numbers,
or other personally identifiable information of our users, so we can assure you
that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We
want to urge you to be cautious when opening links or attachments from unknown
third parties. Also know that McKinsey Quarterly will not send you e-mails
asking for your credit card number, social security number or other personally
identifiable information. So if you are ever asked for this information, you can
be confident it is not from McKinsey.

When consumers receive emails that appear questionable, Kristensen advises consumers to forward the email to the company's customer service or security department.

"Most companies would like to know," Kristensen says. "And if they are in fact legitimate but people think they're not, that will also tell them they have to do a better job in presenting the information."

Other companies affected by the security breach include Citigroup, J.P. Morgan Chase (JPM), Barclays (BCS), U.S. Bancorp (USB) and Capital One Financial (COF), according to a Wall Street Journal report. And, according to an Orlando Sentinel report, Disney Destination (DIS) was also affected.

Epsilon, which issued its warning Friday, said it detected the security breach on March 30 in a subset, or portion, of Epsilon clients' customer data. The company noticed the email addresses and names of customers were exposed via an unauthorized entry into its email system.

Get info on stocks mentioned in this article: