TiVo Email Partner Hacked 2
So I got this email today from TiVo. Relatively short and too the point. Definitely appreciated. I hope they fire that email service. There needs to be repercussions for unauthorized data leaks. The company reported to have the breach is Epsilon. If you are a client, time to get out of that contract.
I use a very specific email alias just for TiVo, so I’ll know if anything comes from this leak. Anyone knowing that address and my first name … oh well … lot’s of people know my first name. I’ll wait until spam starts before disabling this alias created for TiVo. This is the 2nd time that my TiVo specific alias has been released without my approval. Nice job selecting partners TiVo. I still use a TiVo Series2, but haven’t paid them any money since 2004 due to the prior breach. At least they told me about it this time – perhaps due to the California law which requires customer notification of unauthorized data releases?
==================================================
TiVo Service Announcement
==================================================
Dear TiVo Customer,
Today we were informed by our email service provider
that your email address was exposed due to unauthorized
access of their system. Our email service provider
deploys emails on our behalf to customers who have
opted into email-based communications from us.
We were advised by our email service provider
that the information that was obtained was limited
to first name and/or email addresses only. Your
service and any other personally identifiable
information were not at risk and remain secure.
Please note, it is possible you may receive spam
email messages as a result. We want to urge you
to be cautious when opening links or attachments
from unknown third parties.
We regret this has taken place and apologize for any
inconvenience this may have caused you. We take
your privacy very seriously, and we will continue
to work diligently to protect your
personal information.
If you have unsubscribed in the past, there is no
need to unsubscribe again. Your preferences will
remain in place.
Sincerely,
The TiVo TeamHere is what Epsilon says on their website
IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.If this was an insider job, there isn’t much that could have been done to protect against the releases besides paying their people well and giving stock options to them so they have a financial reason to protect company assets.
Trackbacks
Use the following link to trackback from your own site:
https://blog.jdpfu.com/trackbacks?article_id=1044
More details about this breach
• TiVo
• Marriott Rewards
• Ritz-Carlton Rewards
• US Bank
• JPMorgan Chase
• Capital One
• Citi
• McKinsey & Company
• New York & Company
• Brookstone
• Kroger
• Walgreens
Again, there isn’t much that any of these companies could do to prevent this breach and they certainly aren’t at fault for selecting to use Epsilon as an outside internet marketing company. Just look at that client list – there are probably 2000+ other companies using Epsilon too. Many of them must be well known and respected companies.
Epsilon appears to have limited the information on the system to the minimum needed to actually send emails with that personal touch – a first name and the email address. That is good practice and leads me to think that only the actual email system used was breached and not the complete client database. If this system was running in a 3rd party data center, that’s how I’d do it, then this breach could have happened by the IaaS provider and 1 of hundreds of other ways. The provider of the server would have some number of admins with access to the storage or the server. Any one of them could have snagged the email database. All those client companies listed above could easily have been on the same physical server, even within the same virtual machine. The breach could have been an unknown back door too. It is hard to know at this point. The email systems have to be on the internet, so keeping them on a protected, internal network isn’t really possible. There are more complex email designs that could keep the email addresses from the internet connected server, but every email sent could be captured by a 3rd party.
The only way that I see Epsilon being able to prevent this from happening on other systems is through contractual penalties and by hiring certified, professional, outside security consultants to constantly perform penetration tests and help secure these systems. The penalties need to be financial and high enough to ensure the service provider doesn’t allow the breach.
More details are coming out as lots and lots of Epsilon client companies are notifying their end customers about the breach. Here’s what they’re saying over at Krebs on Security about this situation.
Looks like it is time to update my Desktop Security recommendations to include: