Make Canoe my Homepage

Epsilon hacked! Am I still being phished?

- April 5th, 2011

BestBuy

So I received an email, supposedly from BestBuy.ca, an excerpt shown above, alerting me to the fact that my name and e-mail address have been exposed by “unauthorized entry” into their system. It’s not Best Buy’s system, but rather Epsilon’s, a company who sends out e-mail on Best Buy’s behalf.

Doing a little research and I find out that this is true and in fact Epsilon does provide this service and to over 2,000+ other companies as well.

This is news to me. I knew not who Epsilon was nor did I have any idea that a 3rd party was sending out Best Buy’s emails. Although I should have guessed that they weren’t doing it themselves.

The e-mail, signed by  Best Buy Canada’s VP Marketing,  Angela Scardillo, offers apologies and assures me they are investigating the matter and that no account information, password or personal information, including credit card numbers has been compromised. It’s reiterated as many emails do ad nauseum, that they would never ask to confirm personal or financial information in an email.

I’m further warned that I might receive a spam email from the hackers and that I should be cautious when opening links or attachments.

Not Taking Any Chances

Ok. Hold your horses! While there are no attachments, this email does have a few links. One is a link to Epsilon’s statement, a second to BestBuy.ca and another, an email link to customer care.

Really? Do you expect me to actually click on any of the links in this email? How do I know that this email isn’t a phishing scam? And even if I don’t give out my account number, how do I know that by clicking on this link, it won’t trigger a keystroke logger or attach some malicious code that will steal my password the next time I sign on for online banking?

Scanning the e-mail’s the source code, it appears to be originating from Best Buy’s servers, but at this point with “appearing” being the operative word, and despite my curiosity, it’s not worth the risk.

Well, there is a phone number. It’s unlikely that a manually executed analogue voice communication would subject me to an concealed Trojan. I guess I’ll call them in the morning to see if they actually did send the e-mail.

Be careful folks; Be very careful.

Greg Gazin is the Real Canadian Gadget Guy.

Follow me on Twitter @gadgetgreg.

Subscribe to the post

15 comments

  1. Melissa | April 5, 2011 at 1:32 am

    I got this same e-mail too. I didn’t click on any links, but it has helped reinforce my displeasure for the program. I pre-ordered a video game from Best Buy and wasn’t credited any of the bonus points I was supposed to be, their customer service never replied to the 3 inquiries I left, and now this. What is left to do but cancel my membership and take the scissors to the card?

    The only thing I’ve gotten from the Best Buy Reward Zone is a potential personal information leak.

  2. William Benson | April 5, 2011 at 2:26 am

    If you’re trying to be cheeky or clever here, it’s falling quite flat. A quick Google News search will tell you the Epsilon data breach is indeed real and affecting dozens of companies (including Best Buy), a quick examination of the links in the e-mail will tell you they’re genuine, and if it were possible to “attach some malicious code” just by clicking on a link, there wouldn’t be an uninfected computer left online.

    Everyone should be cautious about spam and phishing attempts, but let’s show a little common sense here. Being paranoid about an email that’s so demonstrably legitimate is like refusing to open your door for firefighters warning you your building’s ablaze. They could be impostors who happen to be wearing firefighter’s uniforms and showed up in a fire truck!! Better stay inside just to be safe!

  3. BB | April 5, 2011 at 7:59 am

    I understand the apprehension but as “William Benson” wrote, the moment you do a quick Google search you’d see this was real.

  4. HP | April 5, 2011 at 8:15 am

    Dumbass.

  5. Alan | April 5, 2011 at 10:17 am

    Thats not what the author meant at all. If you read it without bias there would not of been such a stupid analogy coming from you.

    The phish attack the author refers to is via the links within the e-mail, if phishers and hackers send out another one with a fake website they could easily phish unsuspecting victims onto a site that looks genuine and would steal all of their information

  6. Greg Gazin | April 5, 2011 at 10:27 am

    Thanks for clarifying Alan!

  7. Greg Gazin | April 5, 2011 at 10:35 am

    Yes, it was real and I note that in the second paragraph.

  8. Greg Gazin | April 5, 2011 at 10:52 am

    Thanks for your comment.

    My point is not to make people paranoid. It’s to have them really think twice about taking an email at face value without even considering that it may not be what it seems. We all say we are cautious and in our minds I’m sure we mean to be, but haven’t you had a time where your Inbox is so full, you’re tired, it’s late at night when you’re reading – and you get one of these, you just might just not think about it.

    As for legitimacy, my point was that links may look legitimate at first glance, but upon careful examination they could vary ever so slightly from what it should be. Furthermore, clicking may also redirect you to somewhere other than where you want to go. I just happened to decide this time that I preferred not to click.

  9. S P Arif Sahari Wibowo | April 5, 2011 at 1:25 pm

    A news saying, “beware of this kind of news!”

  10. Lisa | April 5, 2011 at 3:11 pm

    If you received this email – also change your email password. My husband’s account was hacked and sent out spam messages to all of his contacts this morning.

  11. Bob | April 5, 2011 at 4:04 pm

    And the phone number (numeric one) was wrong, they transposed 2 digits 8-7 7-8. Poor woman who answered that line all day.

    Who thinks ALL these companies lost ONLY the SAME 3 FIELDS?

    How did they include my AirMiles balance in the email without storing it at Epsilon? Or how was that balance kept magically safe while the hackers made off with only 3 fields? Could they not have kept everything as safe as that miles balance? tee hee!

    We are being snowed.

  12. Greg Gazin | April 5, 2011 at 4:38 pm

    Good catch Bob! Yes, I too feel sorry for the lady. I actually went to Best Buy’s site to verify the number. (In Canada, it’s 866BestBuy, in the US it’s 888BestBuy). I dialed 1-866-best-buy.

    I didn’t really pay attention to the numerics, I used the Alpha numbers for dialing. But this also brings up another point. The numeric phone number could have also been a plant. If it was an intercepted call the operator could have asked for your account info.

    I also echo your concern. I rec’d 2 more emails today from other Epsilon customers. So how much info did they really get?

  13. Greg Gazin | April 5, 2011 at 4:40 pm

    Thanks Lisa! It’s always a good practice to change one’s password once and a while. In fact some institutions requires that it be done every 60-90 days.

  14. mike | April 7, 2011 at 9:10 am

    for a long time now, i do not click email links. ever! i go directly to the company’s web site manually and log in. sure it’s more hassle, but it’s hard to phish yourself. creating my own ‘home web page’ with links to all my favored companies doesn’t hurt either.

  15. Silly Sally | April 12, 2011 at 8:03 am

    Airmiles – I recieved an e-mail within hours of the news being broadcasted on t.v. I opened up the e-mail and now I am living in the world of SPAM.
    I find it interesting that a large spam problem had just been shut down weeks ago …. mmmm…..I wonder ?? Could it be the same people ?
    To be proactive and to show my displeasure in corporate 3rd party outsourcing, I have phoned and cancelled 4 companies that I use. I also mailed hard copy letters with copies of the SPAM e-mails to the CEO’s to let them know….that I the consumer am not impressed. I believe that if everyone takes this approach, corporations may make a better effort to manage their security with a little more integrity.

Leave a comment

 characters available