NEW YORK | With the possible theft of millions of email addresses from an advertising company, several large companies have started warning customers to expect fraudulent emails that try to coax account login information from them.
Companies behind such brands as Chase, Citi and Best Buy said over the weekend that hackers may have learned their email addresses because of a security breach at a Dallas-based company called Epsilon that manages email communications.
The email addresses could be used to target spam. It’s also a standard tactic among online fraudsters to send emails to random people, purporting to be from a large bank and asking them to log in at a site that looks like the bank’s site. Instead, the fraudulent site captures their login information and uses it to access the real account.
The data breach could make these so-called “phishing” attacks more efficient, by allowing the fraudsters to target people who actually have an account with the bank.
David Jevans, chairman and founder of the nonprofit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate phishing toward more intelligent attacks known as “spear phishing,” which rely on having more intimate knowledge of the victims.
“This data breach is going to facilitate that in a big way. Now they know which institution people bank with, they know their name, and they have their email address,” said Mr. Jevans, who is also the CEO of security company IronKey Inc.
“You’re not going to see typical phishing where 90 percent of it ends up in spam traps and is easily detected. This is going to be highly targeted,” he added.
Among the affected are financial-service companies such as Capital One Financial Corp., Barclays Bank, U.S. Bancorp, Citigroup Inc., JPMorgan Chase & Co. and Ameriprise Financial Inc., and retailers including Best Buy Co., TiVo Inc., Walgreen Co. and Kroger Co.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.
Walt Disney Co.’s travel subsidiary, Disney Destinations, sent emails warning customers Sunday. Hotel chain Marriott International Inc. issued a similar warning.
Epsilon said Friday that its system had been breached, exposing email addresses and customer names but no other personal information.
Epsilon, a unit of Alliance Data Systems Corp., sends more than 40 billion emails annually and has more than 2,500 clients.
Shares of the parent company fell $2.78, or 3.2 percent, to $83.15 in early afternoon trading Monday.
The scale of the data breach meant that many people got warnings from multiple companies over the weekend.
By Elaine Donnelly
Extending sexual misconduct to combat units
Independent voices from the TWT Communities
Video reviews of today's hottest trends in Minecraft (servers and mods) along with a look at the latest video games with your host MCairsoft14 (alias Jerad Zad).
Covering the world of soccer, including the World Cup, Major League Soccer, D.C. United and the English Premier League and other interesting sporting events.
Contributions to the Communities Sports desk from readers.
Straight talk on climate science, energy economics, and public policy.
Benghazi: The anatomy of a scandal
Vietnam Memorial adds four names
Cinco de Mayo on the Mall
NRA kicks off annual convention