Network News

X My Profile
View More Activity

Should E-Mail Addresses Be Considered Private Data?

A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in an ongoing series of targeted e-mail attacks against customers of several Salesforce.com business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation's largest payroll and tax services providers.

Security Fix learned of the data breach through a SunTrust customer who received a curious e-mail in mid-September; the message was sent to a custom e-mail address the guy had created for use exclusively with SunTrust. The message, which was addressed to the recipient by name and mentioned his company, urged him to download a PDF document to help resolve an identity theft complaint he had supposedly filed with SunTrust.

The recipient, who asked to remain anonymous to avoid any further risk of identity theft, said earlier this week that he received an e-mail from SunTrust that said a "third-party database used by a number of financial service providers, including SunTrust, was improperly accessed" [emphasis added.]

SunTrust spokesperson Hugh Suhr said the purloined data included the names, e-mail addresses and physical addresses for about 40,000 SunTrust customers. He said the customer list was stolen from a database held by Salesforce.com, and that contact information for ADP customers also was lifted from Salesforce.

Suhr said the bank received complaints from roughly 500 customers who received targeted phishing e-mails. He added that only a handful of those customers appeared to have fallen for the phishing scam and that the company is aware of approximately $9,000 in losses as a result.

ADP issued a press release on Sept. 14 about a similar attack, saying the phishers spoofed the "From" address to make it appear as though the messages had been sent by the company. As in the SunTrust attack, recipients were asked to download a file, which included malicious software (most likely malware designed to steal usernames and passwords from the victim's PC). ADP did not return calls seeking comment.

Salesforce.com's Bruce Francis, the company's vice president of corporate strategy, declined to say whether any customer-specific data was stolen, and refused to answer direct questions about the alleged incident, saying that doing so would not be in the best interests of its customers. He did, however, stress several times that "phishing is a fact of life for any company that does business on the Internet these days."

Both SunTrust and ADP emphasized that the stolen customer list did not include any sensitive information, such as account or Social Security numbers. Still, as this and other attacks have shown, phishers and other fraudsters can dramatically increase the success of their scams by obtaining customer e-mail lists from the companies they plan to target.

In August, job search giant Monster.com's resume database was breached by hackers, exposing confidential data on 1.3 million job seekers. The attackers then used the contact information from that database to send users targeted e-mails that appeared to come from Monster.com. Recipients were directed to click on a link in the message, which tried to install malicious software through Web browser security vulnerabilities.

Last year, phishers used a stolen database of Indiana University student and faculty e-mail addresses to conduct a targeted attack against roughly 24,000 students. That attack netted close to 80 victims, a relatively high success rate for a phishing scam with such a limited base of recipients.

Due to a proliferation of state disclosure laws, most U.S.-based businesses must alert customers if a data breach or loss jeopardizes personal or financial information. But these types of incidents raise the question of whether e-mail addresses also should be considered confidential information that, if stolen, should in an of themselves trigger notification requirements.

By Brian Krebs  |  October 19, 2007; 6:00 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Stock Spammers Pump It Up With MP3 Files
Next: RealPlayer Patch Plugs In-the-Wild Security Exploit

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company