The emails may already have reached your in-box: Valued customer, we regret to tell you that your name and email address may be in the hands of hackers.
See also: Create safer email aliases.
All over the country, companies big and small are scrambling to warn their customers in the aftermath of what appears to be one of the biggest data breaches in recent times. But with some simple steps, you can protect yourself from the increased risk of identity theft that can follow a data breach.
The breach occurred at Epsilon, an Irving, Texas, firm that says it sends out 40 billion emails each year in "permission-based" marketing campaigns for corporate customers. These are campaigns that you opt into when you do things such as registering at a company website or writing down your email address on a warranty card.
On April 1, Epsilon announced that an "unauthorized entry" into its giant database had exposed consumers' emails and names to the intruder. It did not name the corporations whose records had been compromised, but in subsequent days it became clear that they included some of the largest businesses in America.
According to the trade publication SecurityWeek, the list includes Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, Disney Destinations, Best Buy and the College Board, the company behind SAT tests for college-bound students.
The companies are contacting customers through emails as well as "tweets" and announcements on their Web and Facebook pages. Generally, the messages stress that only names and email addresses were compromised. There was no loss of sensitive financial information such as credit card or Social Security numbers.
So now what? The immediate danger could be that you will receive "phishing" emails or telephone calls that purport to be from the companies but are actually seeking your personal information.
How to stay safe:
- Don't reply to requests seeking personal information, such as passwords or information on bank or credit card accounts. Even if you're told that your account was comprised — and the Epsilon breach is specifically mentioned — ignore these incoming "notifications." Instead, check out the claim yourself at the company's website or toll-free customer service number that you look up yourself.
- Don't open attachments or click on links in incoming emails that promise to take you to the company's sign-on form. Scammers may be setting up bogus websites under the companies' identities to capture log-in or account information. You should change your passwords, but do this only on the company's own website, which you reach by typing in its name yourself or finding it through a search engine, not by clicking on a link.
- Never use your email address as a log-in ID or password.
- Even if your name wasn't among the list exposed at Epsilon, know this: If you're subject to any kind of data breach you are four times more vulnerable to suffer future identity fraud, with a one in five chance of being victimized within 12 months of that notification, according to Javelin Strategy and Research.
- So if you're notified, or just suspect, that your data has been breached, keep particularly close tabs on your credit report at Annual Credit Report.com, the only place on the Web where you can get your credit reports free with no strings attached.