So I did the usual check to see whether there had been news of Joost being hacked, but couldn’t find anything. We’re they? Or is this purposeful?

I went to their website to contact them, but they only seem to want to be contacted if there’s money involved:

I checked their Privacy Policy and it seems it’s been updated since I signed up to give them permission to sell my personal information:

You won’t be surprised to hear I’ve deactivated my Joost.com account and deleted my email address. Thank goodness for foresight and disposable email addresses…

Companies with whom you have done business (or in some cases, not) are now rushing to disclose that they have had their customer database compromised, resulting in names and email addresses being released to unauthorised baddies. You should expect an increase in spam, and be particularly cautious of spear phishing attacks.

Play.com sent this to me on 21st March:

Dear Customer,

Email Security Message

We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

Please be assured we have taken every step to ensure this doesn?t happen again and accept our apologies for any inconvenience this may have caused some of you.

Customer Advice

Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.

Thank you for continuing to shop at Play.com and we look forward to serving you in the future.

Play.com Customer Service Team

************************************************************************
Confidentiality: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the individual or entity
to whom they are addressed. If you have received this e-mail in error
please notify the sender immediately and delete this message from your
computer without further action. Any dissemination, distribution or
copying of this message or any files transmitted with it by an
unauthorised recipient is strictly prohibited.
Viruses: This message has been swept for viruses but we cannot guarantee
that this e-mail or its attachments are virus free nor accept
responsibility for any virus inadvertently transmitted herewith.
************************************************************************

Then, three days later on 24th March I get this from TripAdvisor:

To our travel community:

This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.

How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.

I’d also like to reassure you that TripAdvisor does not collect members’ credit card or financial information, and we never sell or rent our member list.

We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.

Steve Kaufer

Co-founder and CEO

Today another from Walgreens:

Dear Valued Customer,

On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon’s email system.

For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team

What’s especially bad about the Walgreens situation is how they ended up with my email address in the first place. I have never done business with Walgreens (they don’t exist in the UK). However, their newsletter doesn’t require a confirmation when you sign up, so someone who doesn’t know their own email address entered mine (hopefully by mistake), and suddenly I’m on their list. I unsubscribed but that doesn’t delete my data from their database. To do that I probably need to login to ‘my’ account, and of course, I don’t have those login details because I didn’t create the account in the first place!

As I write this the latest email has just arrived, this time from Marks & Spencer:

We have been informed by Epsilon, a company we use to send emails to our
customers, that some M&S customer email addresses have been accessed without
authorisation.

We would like to reassure you that the only information that may have been
accessed is your name and email address.  No other personal information,
such as your account details, has been accessed or is at risk.

We wanted to bring this to your attention as it is possible that you may
receive spam email messages as a result. We apologise for any inconvenience
this may cause you. We take your privacy very seriously, and we will continue
to work diligently to protect your personal information.

These companies, whom I trust(ed), outsource the delivery of their newsletters and other marketing emails to a third party company. Epsilon is one of those companies and as you can see, their database was breached. Naturally, they are a huge target for spammers trying to get your information, and it wouldn’t surprise me if they have survived many attacks over their lifetime. They need to be lucky all the time, the spammers only need to be lucky once. Fortunately it appears that only a subset of the data was exposed.

[UPDATE 17-APR-2011: Further investigation tells me that the Play.com breach was at SilverPop and the TripAdvisor breach was via ExactTarget. ]

Now I’m a tech-savvy person so this isn’t going to affect me as badly as it could have. I guessed something like this would happen sooner or later, so I took (and continue to take) precautions:

• Each of the above companies had a different (disposable) email address for me.
• I use Mailwasher to read email so don’t see HTML, only the plain text. It doesn’t download images, send read receipts, or do other such actions which could help the spammers.
• I don’t click on links in email.
• I’m aware of the dangers of phishing and the like.

However, I now have to be especially cautious, particularly if I’m reading email on-the-go (my mobile email client doesn’t provide the same security options as Mailwasher and it’s possible I could be tricked if forced to act in haste).

More info:

Epsilon Press Release

Someone Just Stole Your Email Address (from NPR)

Good interview with security expert Brian Krebs identifying the risks

#Epsilon on Twitter

via the ZoneAlarm Blog.

Login to your Facebook account, then go to the top right corner, select Account > Account Settings.
Next to “Account security” click “change”.
Under “Secure Browsing (https)” select the checkbox “Browse Facebook on a secure connection (https) whenever possible”, then click Save.