Late last week, e-mail services firm Epsilon, which manages e-mail campaigns for hundreds of high-profile clients in retail, publishing, consulting and other sectors, revealed that it had been hacked. As a consequence, the attackers were able to obtain the names and e-mail addresses of millions of customers of companies like Citigroup, Walgreens, JP Morgan and many, many others.

Like me, you likely received a notice from a company you do business with informing you of the hack. I got mine from McKinsey Quarterly:

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Three quick observations about What It Means:

First, this is embarrassing for Epsilon. It suggests that they have some work to do on their defenses. We don’t know how the attackers got in — it could have been by exploiting a weakness in their web applications (likely), or from a social engineering attack of the type that hosed RSA (less likely).

Second, the attack will be of no consequence to most people. Yes, as many commentators have written, there is an “elevated risk of spear phishing attacks,” which in plain English means this: because the bad guys have your name and e-mail address, they might try to trick you by sending you an e-mail with a funny link. But to be honest, I don’t get much, if any, spam — thanks to Perimeter’s multi-stage e-mail filtering service. And if you use a premium spam filtering service, you probably don’t either. And even if the attackers manage to put together an e-mail that does get through your spam filters, how would you be able to tell that this particular break-in was the cause of it? Right.

Third, nice work McKinsey! The e-mail above is a great example of how to write an unambiguous and clear disclosure e-mail. You’ll note that they spell out exactly what Epsilon says has been disclosed (name and e-mail address, not enough to trigger a PCI or HIPAA violation). They also provide appropriate guidance on what to watch out for, and reinforce that McKinsey employees will never request sensitive information from their customers (which they shouldn’t). This is exactly what you should say in an e-mail like this.

The bottom line is this: spam happens. Just make sure that your employees and colleagues don’t blindly click on attachments they shouldn’t, or blindly click on links embedded in e-mail. Take this incident as an opportunity to reinforce your security policies. But don’t worry too much. Compared to the RSA compromise from a few weeks ago, this is very small beer.

It is not clear whether the theft of this information enables attackers to compromise customers’ own SecurID deployments. RSA claims that the information obtained by the attackers does not. As described in RSA’s advisory (http://www.rsa.com/node.aspx?id=3872):

“[RSA has] no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

However, RSA’s news release notes that “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

We strongly urge customers to read the full advisory from RSA here: http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm

There is no indication that suggests Perimeter’s customers are at risk. We are continuing to monitor the situation and will send out additional updates as new information is made available.

All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before.  One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs.  This is the unique identifier on the iPad.  Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes.  This could have very serious security ramifications, especially when you consider those that were among that list of 144,000.  If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem.  Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times.  There are a lot of scary scenarios that we could talk about if this were really possible.  But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.

Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party.  So when everyone references this breach in the future it will be Apple’s name, not AT&T.  That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach.  It is unclear what other information, if any, was also captured.  This is an interesting case because no other time would anyone care about email addresses being exposed.  This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses.  A list like this simply doesn’t exist.  But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service.  While they say 114,000 emails were compromised, it is likely that many others were compromised as well.    Personally, this is where I think Goatse stepped over the line.  They detected and exploited the vulnerability.  They told AT&T about it.  They wanted press and they have it.  But they said that they gave the vulnerability exploit and script to others.  Who are these others?  What did they do with this information?  It is always a slippery slope when a rogue security firm does this type of thing in the first place.  But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use.  That is what makes it go from grey to black very quickly.  Let’s all remember it is just email addresses (as far as we know).  It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike.  But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.