Disney/Epsilon Email Compromise?

[HonestAbe]

Folks - I just posted a thread about the compromise and why you should be concerned about it. If you go back to forum, you'll see it. Not to hijack this thread, but mine explains it with technical aspects, security information and recommendations about what to do from here.

 

[Lily & Giny's Mom]

I just received the email from destination disney. The computer had a virus last week and I had to take it into the shop to get fixed. I wonder if it had anything to do with this. L&G's Dad.

 

[java]

College board one here.

 

[momof1princess]

i receive offers from disney destinations on a regular basis, and i didn't receive this e-mail.

 

[luvmy3]

If you don't have Iconix, I would get it. It verifies that the email is sent from the sender.
I got a notice this morning from HSN.

 

[Swan4Me]

Odd-i got it but it was in my spam folder

All my disney emails go to my regulare folder-which makes me think it IS spam?

 

[goofy4tink]

Yes, I did........only from the College Board. I wonder how far and wide this 'breach' extends! Somewhat scary.

We got that one as well.

 

[FireDancer]

The most important thing anyone can do to safeguard their email is to have a good password which includes upper and lower case letters, numbers, and symbols for their email. Someone having your email in itself isn't really a threat and long as you are careful about the links you click in emails and the files you open. What is dangerous about someone having your email is what they can deduce from it or what they can do with it as part of a blended threat.

Here is an example. Lets say your email address is JohnSMith123@hotmail.com. Chances are your username at banking, shopping, and other sights is the same (JohnSmith123) or, worse, the sites use your email as your user name. If I can get into your email account I can reset or get access to all of your banking passwords because almost all of the sites have a "forgot your password" link that uses your email to reset the forgotten password. This is why your email password needs to be complex and different from every other password you have.

Why different? Well that is where the blended threat comes in. I have your email and can send you a phishing attack that states your information at Chase/Citi/BofA/whomever has been compromised. You log into the fake site and enter your Chase/Citi/BofA password and I now have that site's username and password along with your email address. That is bad enough but if you use the same password for your email address as the credit card or banking site I just impersonated I not only have your username and password for that single site but I can get into your email and use it like I described above to get into all of your e-commerce sites.

There is little you can do to keep your email private. I go with the assumption that everyone on the planet has mine. What is important is you secure it with a good, strong password that is unique to only your email account and that you are careful about links you click in email. If you get an email from Chase don't click a link in the email, go directly to the Chase site and log in there. I am the I.T. director of a financial institution and if we had a breach we would never send a link in email to have our clients change their passwords or information for this reason. We would have a link provided right on our site where you can check the validity of the SSL certificate before proceeding.

As HonestAbe stated in his other post third parties have a lot of information. This isn't only try of email lists but third parties clear credit cards, checks, ACH transactions, and a lot of other financial instruments. It is the way of the world and they, unfortunately, have breaches. Sadly most aren't as good with sensitive information that should be encrypted or hashed instead of stored in databases in the clear.

I would recommend everyone change their email password if it is weak or shared among multiple sites and be vigilant about what you click in email. I'd also learn how to check the SSL certificate of any banking or shopping site I use. A quick Google search will tell you how to do this in your browser.

 

[antmaril]

I got the message from Disney and TiVo.

Me too!

 

[dislaney]

i receive offers from disney destinations on a regular basis, and i didn't receive this e-mail.

I received it on the account I made my Disney Resort Reservation, but not on the account I receive all my regular Disney Destination offers.

 

[bicker]

I've gotten it three times: Disney, TiVo and a brokerage firm.

 

[luvmy3]

The most important thing anyone can do to safeguard their email is to have a good password which includes upper and lower case letters, numbers, and symbols for their email. Someone having your email in itself isn't really a threat and long as you are careful about the links you click in emails and the files you open. What is dangerous about someone having your email is what they can deduce from it or what they can do with it as part of a blended threat.

Here is an example. Lets say your email address is JohnSMith123@hotmail.com. Chances are your username at banking, shopping, and other sights is the same or, worse, the sites use your email as your user name. If I can get into your email account I can reset or get access to all of your banking passwords because almost all of the sites have a "forgot your password" link that uses your email to reset the forgotten password. This is why your email password needs to be complex and different from every other password you have.

Why different? Well that is where the blended threat comes in. I have your email and can send you a phishing attack that states your information at Chase/Citi/BofA/whomever has been compromised. You log into the fake site and enter your Chase/Citi/BofA password and I now have that site's username and password along with your email address. That is bad enough but if you use the same password for your email address as the credit card or banking site I just impersonated I not only have your username and password for that single site but I can get into your email and use it like I described above to get into all of your e-commerce sites.

There is little you can do to keep your email private. I go with the assumption that everyone on the planet has mine. What is important is you secure it with a good, strong password that is unique to only your email account and that you are careful about links you click in email. If you get an email from Chase don't click a link in the email, go directly to the Chase site and log in there. I am the I.T. director of a financial institution and if we had a breach we would never send a link in email to have our clients change their passwords or information for this reason. We would have a link provided right on our site where you can check the validity of the SSL certificate before proceeding.

As HonestAbe stated in his other post third parties have a lot of information. This isn't only try of email lists but third parties clear credit cards, checks, ACH transactions, and a lot of other financial instruments. It is the way of the world and they, unfortunately, have breaches. Sadly most aren't as good with sensitive information that should be encrypted or hashed instead of stored in databases in the clear.

I would recommend everyone change their email password if it is weak or shared among multiple sites and be vigilant about you click in email. I'd also learn how to check the SSL certificate of any banking or shopping site I use. A quick Google search will tell you how to do this in your browser.

Thanks FD

I have a friend who uses her kids birthdate years in her passwords and then talks about her kids on FaceBook. Not that I hope she has been included in this breach, but I hope that all the talk about it will get her to wisen up about how easy it can be for someone to guess your password when you are so open about your personal info online.

 

[FireDancer]

Thanks FD

I have a friend who uses her kids birthdate years in her passwords and then talks about her kids on FaceBook. Not that I hope she has been included in this breach, but I hope that all the talk about it will get her to wisen up about how easy it can be for someone to guess your password when you are so open about your personal info online.

That last part about Facebook is very important. Not just from a password perspective but from a security question perspective. If your 3 questions are your mother's maiden name, your pet, and your high school graduation year don't have pictures of your dog with their name in the caption, your age, or your 3 cousins who's dad is your mom's brother (and have her maiden name) marked as cousins on Facebook.

 

[golfgal]

I've gotten it three times: Disney, TiVo and a brokerage firm.

I would be VERY concerned about this one--Disney Destinations, not so much if you have never used them for anything except getting emails.

That last part about Facebook is very important. Not just from a password perspective but from a security question perspective. If your 3 questions are your mother's maiden name, your pet, and your high school graduation year don't have pictures of your dog with their name in the caption, your age, or your 3 cousins who's dad is your mom's brother (and have her maiden name) marked as cousins on Facebook.

Or make up "wrong" answers to your security questions. If it asks for your Mother's Maiden Name, put the name of the street you grew up on instead. I have also heard that you should use a "sentence" for a password but just use the first letters from each word. So if you use "The quick brown fox jumped over the lazy dog" your password would be tqbfjotld .

 

[bicker]

I would be VERY concerned about this one--Disney Destinations, not so much if you have never used them for anything except getting emails.

Disney has my credit card number and my social security number (because they ran a credit-check on me when we bought into DVC), so they're both worthy of enhanced vigilance. (TiVo, not-so-much.) However, as others have pointed out, it's just email addresses and names that were breached.

 

[buffettgirl]

I guess I"m not overly worried. Epsilon was only privy to certain information - namely email and name. Basically, you will simply have to stop using the internet if this makes you overly worried. Obviously there are plenty of precautions to put in place which have been mentioned by FireDancer already. A company spamming you? That's hardly a threat. This is the release from Epsilon:

IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

 

[Cyrehn]

Did anyone else get this email this morning?::

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

Anything I/We need to be overly concerned about? The only other reference I found on the Dis is a brief thread on the Canadian Community board. I'm not terribly computer/internet savvy...I know not to open spam emails/attachments, but I'm concerned as I have a current ressie with my CC number attached to it....and words of advice?

Your CCI (credit card information) is not kept the way your email address is. Federal guidlines require this information kept differently. Disney's CCI compliance is actually quite comprehnsive. Epsilon has been hacked and several huge companies are being effected. For reasons obvious, they sent this to every consumer who could have been effected by the hacking.

At least we all were told before we find out on the news. That seems to be the way I find out a company's information has been compromised.

 

[Billary41]

Disney has my credit card number and my social security number (because they ran a credit-check on me when we bought into DVC), so they're both worthy of enhanced vigilance. (TiVo, not-so-much.) However, as others have pointed out, it's just email addresses and names that were breached.

Yes, because they wouldn't mislead us (again), right?

How do we really know what information has been accessed? The answer is, we don't.

 

[FireDancer]

Yes, because they wouldn't mislead us (again), right?

How do we really know what information has been accessed? The answer is, we don't.

Most states have laws that require notification for certain types of data breaches which include exactly what data may have been compromised. An email address, at least in Ohio, is not one of them. I don't know where Epsilon is located but if sensitive information like SSN's, addresses, ect were compromised they would more than likely have to tell you. If they don't give out specifics either they are in a state with weak mandatory reporting laws or the information wasn't sensitive enough to warrant the detailed notification.

 

[momof1princess]

i just got the e-mail from Disney Destinations, and it said only my e-mail address was "exposed". i guess we'll see. my spam filter is set pretty high.