SAN FRANCISCO (AP) - Think twice next time you get an email from Chase or Citi asking you to log in to your credit card account. The bank may not have sent it.
A security breach that exposed the email addresses of potentially millions of customers of major U.S. banks, hotels and stores is more likely than traditional scams to ultimately trick people into revealing personal information.
Security experts said Monday they were alarmed that the breach involved targeted information _ tying individuals to businesses they patronize _ and could make customers more likely to reveal passwords, Social Security numbers and other sensitive data.
The company that was in charge of the email addresses, a Dallas marketing firm called Epsilon, handles online marketing for some of the biggest names in business. Those companies have flooded customers in recent days with warnings to be on guard.
Epsilon said that while hackers had stolen customer email addresses, a rigorous assessment determined that no other personal information was compromised. By itself, without passwords and other sensitive data, email addresses are of little use to criminals. But they can be used to craft dangerous online attacks.
Citi credit card customers, for example, are more likely to respond to an email claiming to be from Citigroup than from a random bank. The email might direct the customer to a site that looks like the bank’s site, capture login information and use it to access the real account.
David Jevans, chairman and founder of the nonprofit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate email scams, known as “phishing,” toward more intelligent attacks known as “spear phishing,” which rely on more intimate knowledge of victims.
“This data breach is going to facilitate that in a big way,” said Jevans, also CEO of security company IronKey Inc. “Now they know which institution people bank with, they know their name and they have their email address.”
The information could also help criminals send highly personalized emails to victims. Doing so makes the email more likely to get past a spam filter.
Epsilon, a unit of Alliance Data Systems Corp., sends more than 40 billion emails a year and has more than 2,500 business clients. Stock in the parent company fell $1.73, or 2 percent, to close Monday at $84.20.
Meanwhile, more than a dozen companies contacted customers to instruct them never to reveal personal information in response to an email.
Financial institutions affected include Barclays Bank, Capital One Financial Corp., Citigroup, JPMorgan Chase and U.S. Bancorp. The parent companies of Best Buy, Ethan Allen furniture stores, the Kroger grocery chain, the Home Shopping Network and Walgreens drugstores issued similar warnings, as did the Hilton and Marriott hotel chains. The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.
Many of the companies contacted by The Associated Press declined comment or referred reporters to statements acknowledging the breach. Epsilon also declined further comment. Some of the companies said Epsilon has referred the breach to unspecified authorities.
For victims of this type of security breach, there is little to do but be vigilant. Changing passwords doesn’t help.
Jill Kocher of Crystal Lake, Ill., said she got at least five emailed warnings, including from U.S. Bank, Best Buy and clothier New York & Co. Because she works for Groupon, an Internet coupon company, she said she feels savvy enough to avoid any phishing come-ons. But she’s concerned for those who aren’t.