Petaling Jaya, Malaysia (PressExposure) April 17, 2011 -- The consequence of Epsilon's security breach, which happened in the US recently, may have wrecked a bigger havoc than expected. Dell Australia sent an email message to customers yesterday informing them that Epsilon, the company Dell uses to manage its email communications with customers, had been broken into, and exposing customers' personal information including full names and email addresses.
Dell Australia warns Australian customers of other companies could unknowingly be affected following a major security breach at the global email service provider. This exposes customers to scams as the hackers could contact Dell's customers while pretending to represent the company.
Epsilon sends out about 40 billion emails for 2,500 companies a year on behalf of clients and it is reported that the breach was so serious that the US Secret Service is investigating. The company says their clients operate "primarily in the financial services, specialty retail, hospitality and pharmaceutical end-markets
In Australia, the Privacy Commissioner, Timothy Pilgrim, said he was opening an "own motion investigation" into the incident. Pilgrim said only Dell Australia had contacted his office to own up about the breach at this point, however, security professionals warn that the issue almost certainly affects Australian customers of other companies that use Epsilon.
Security professionals say that many other companies with Australian customers are likely to have been affected but we may never know which ones because there is no law forcing the companies to disclose security breaches such as this.
The former team leader of investigations at the Australian High Tech Crime Centre, Nigel Phair, who is now working as a private consultant, said Australia "desperately needed" data breach legislation that would compel companies to report these sorts of privacy breaches.
The Australian High Tech Crime Centre (AHTCC) is an Australia-wide policing initiative to coordinate the efforts of Australian law enforcement in combating serious, complex and multi-jurisdictional high tech crimes, especially those beyond the capability of single policing jurisdictions in Australia. Other roles include protecting the information infrastructure of Australia, and providing information to other law enforcement to help combat online crime.
"Constant news headlines tell us how vulnerable our personal information is and as consumers we don't even know where or how it is stored," he said.
Dell Australia did the right thing by informing customers and the Privacy Commissioner but there was nothing to compel it to, he said.
In addition to email marketing, it has been revealed that Epsilon collects all sorts of other data about customers on behalf of clients including social networking posts, providing them access to details such as age, profession, address, political persuasions, etc.
Information seized would give scammers all the ammunition they needed to conduct highly targeted and believable "spear phishing" attacks.
Phishers target the customers of banks and online payment services. E-mails, supposedly from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers. While the first such examples were sent indiscriminately in the expectation that some would be received by customers of a given bank or service, recent research has shown that phishers may in principle be able to determine which banks potential victims use, and target bogus e-mails accordingly. Targeted versions of phishing have been termed spear phishing.
"In the United States disclosure of unauthorized security breaches is mandatory and this is why we are hearing about this case," he said.
"In Australia, the same level of disclosure is not currently mandatory and there are many similar cases that are not only not reported, but not disclosed to the same extent. This case of unauthorized entry is not unusual, and we believe is a continuing trend for 2011."
The Privacy Commissioner said that the recent report on privacy laws compiled by the Australian Law Reform Commission recommended that new data breach notification requirements be implemented, which would force companies to own up to privacy breaches such as this. However, the Federal Government has yet to say whether it will take this recommendation on board.
Organizations need to implement robust internet security initiatives, including hiring highly trained information security experts in order to avoid security breaches. Information security professionals can increase their information security knowledge and skills by embarking on highly technical and advanced training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of highly technically skilled information security professionals. CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics, Advanced Application Security, Advanced Network Defense, and Cryptography. These highly sought after and advanced information security training will be offered at all EC-Council hosted conferences and events, and through specially selected training partners. The launch classes for CAST will be at the upcoming TakeDownCon Dallas, from May 15-17, 2011.