Canadians among those hit by massive email hack
April 04, 2011

Lesley Ciarula Taylor
TheStar.com

Canadians are among the millions of people whose email addresses have been stolen in a massive security breach.

Customers of Best Buy Canada, TiVo Inc. and online booksellers Abe Books are among the growing list of people now exposed to possible spam attacks and efforts to extract their confidential information.

“The only information that has been exposed was your name and email address,” Best Buy Canada warned customers in an email. “Account details, passwords or any other person information were not at risk.”

Hackers stole the addresses from a firm called Epsilon, which acts as an email provider for 2,500 companies. Epsilon describes itself as the world’s largest permission-based email marketing provider.

Epsilon spokeswoman Jessica Simon declined to say if any other Canadian clients of the Dallas-based email provider have been hit.

“We’re conducting a full investigation. I can’t give you any specifics,” she told the Star.

Epsilon started alerting customers Friday, but new breaches continue to be found. The first breach occurred March 30, the company’s brief email said on Friday.

“It is possible that you may receive spam email messages as a result and we would advise you to be very cautious when opening links or attachments,” the Best Buy warning said, in language nearly identical to the other companies’ customer warnings.

The breach so far has also hit major U.S. banks and credit-card companies, including Capital One, Barclays Bank, U.S. Bancorp, Citigroup, and JPMorgan Chase I Co., drugstore Walgreen Co., LL Bean Visa Card, hotel chains Ritz-Carlton and Marriott Rewards, Home Shopping Network, Brookstone, Disney Destinations and New York & Company clothing store.

At least one online magazine, McKinsey Quarterly, was also exposed. Customers of Abe Books also said they were notified.

The 7 million students involved with the U.S. College Board are also vulnerable.

The stolen email addresses could be used in “phishing” attacks in which hackers use legitimate-looking emails to fish for account login information.

Since the hackers have the email addresses but not access to the companies’ “from” addressed, a “phishing” attack will have a modified sender.

Epsilon, a unit of Alliance Data Co., handles more than 40 billion emails a year for its companies, including seven of the top-10 Fortune companies, according to its website.

“Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher ‘hit rate’ than a typical ‘blind’ spamming campaign would yield,” Internet security website SecurityWeek.com said. “So having access to this information will just help phishing attacks achieve a higher success rate.”