Stolen Data May Be Sold on Cyber Black Market
Hackers behind what computer security experts believe could be the biggest data theft in U.S. history may be planning to sell the information to cyber criminals for targeted scams.
And while the tens of millions of names and email addresses swiped from online marketing firm Epsilon do not appear to have been used yet for cyber crime, experts said it may just be a matter of time.
Major U.S. banks, hotels, retail outlets and other companies have been warning customers to be wary of fraudulent emails after Epsilon acknowledged last week that hackers had gained access to the Texas-based company's email system.
Epsilon, which provides email services for some 2,500 companies around the world, has said that customer data for about two percent of its total clients was exposed in what it called an "unauthorized entry."
Ed Heffernan, chief executive of Alliance Data Systems Corp., Epsilon's parent company, apologized for the breach on Wednesday and said it was being investigated by federal authorities and outside computer forensics experts.
"We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber thieves with the greatest sense of urgency," Heffernan said.
Epsilon, which sends out over 40 billion emails a year, did not identify the firms whose customers' names and email addresses were taken but dozens of U.S. companies have come forward over the past few days.
"It's basically a who's who from the retail and banking space," said Nicholas Percoco, head of Trustwave's SpiderLabs. "Some of the top brands in the world."
They include Hilton and Marriott hotels, telecom giant Verizon, drugstore chain Walgreens, the Home Shopping Network and retailers Best Buy, Kroger, New York & Co. and Target.
Banking and financial firms include Citigroup, JPMorgan Chase, Capital One, U.S. Bank, Barclays Bank of Delaware and Ameriprise Financial.
Experts said the data theft at Epsilon could be the largest ever in terms of volume, comparable to the exploits of Albert Gonzalez, a hacker serving 20 years in prison for stealing tens of millions of debit and credit card numbers.
Percoco said the Epsilon data theft may involve as many as 100 million email addresses and "could end up being the largest breach ever of raw personal data, consumer data."
"All indications are this could be the biggest one in history," agreed Marian Merritt, Internet Safety Advocate at Symantec, the maker of Norton anti-virus software.
It is unlikely, however, to prove as damaging as the Gonzalez scams.
"The good news is it's just the names and the email addresses and the affiliation of the company that you did business with," said Joris Evers, a security expert at McAfee.
"It's not your credit card number or your social security card number or your home address... information that could be more personal and used in more nefarious ways immediately," Evers said. "There's a lot of work to do before you can convert this into cash."
The Epsilon data does not appear to have been used yet for any cyber crime.
"We have been looking around since this news broke for spam and scams and scam websites that potentially take advantage of this breach and we haven't seen anything just yet," Evers said.
That may be because the hackers who carried out the Epsilon attack intend to sell the information to other cyber criminals.
"There are marketplaces on the Internet, underground markets, where people sell bulk bunches of email addresses and names," Evers said. "You can buy a million email addresses for $20 or something like that.
"But that's just email addresses, mailing lists that you can then start spamming."
The information stolen from Epsilon is potentially much more valuable because it links names and email addresses with particular companies that already have a trusted relationship with an individual.
"You've already identified yourself as willing to receive communications from those brands," Merritt said. "So the cyber criminals have pretty good information to use against you."
Evers said such information can be a "treasure trove" for cyber attackers because now they can start personally targeting individuals, a tactic known as "spear phishing."
For example, "you might have bought something from LL Bean recently," he said. "You receive an email that says 'We want to confirm your order, please click here.'
"And you end up on a website that infects your computer with something. Or you're asked to type in your credit card number again to make sure the order goes through," he said. "And now, boom, I have your credit card information."
Whatever form the attacks take, experts are certain they're coming.
"They didn't go get these email addresses and names just to get them," Percoco said. "They're going to use them."