Last week we discussed the very large, very disruptive loss by Epsilon of a number of e-mail addresses and the identities of the companies with whom the e-mail owners did business.
InfoWorld Tech Watch reports that it appears that the hack relied on the gullibility of Epsilon employees. So, there was no midnight rappelling from the ceiling through banks of laser beam alarms like you see in the movies, but merely a "social engineering" attack using e-mails targeting Epsilon employees that contained some personal information about the employee and made them think it was from a personal acquaintance.
The messages included links (bad idea to click links in a message) that took them to a site that downloaded one malware program that disabled the antivirus software, one that logged keystrokes and one that gave hackers remote access to the infected machines. It also turns out that Epsilon was warned about such attacks several months ago.
In the "lessons learned" department or more appropriately, the "lessons we should already have known" department, it would be prudent for a company with large amounts of customer data (everybody on line?) to train their employees not to respond to personal e-mails at work, recognize the tell tale signs of a social engineering attack and not to click on links in a message the origin of which you do not know.
This is not hard to teach but apparently compliance is difficult. This lesson will get expensive for Epsilon.