SINGAPORE, 5 APRIL 2011 - As about 50 companies were affected by a major security breach at e-mail service provider Epsilon Interactive, it is not yet clear how many of Epsilon's Asian customers have been affected.
Epsilon had reported the breach on Friday. The company reported on Monday (4 April) that "approximately two percent of total clients" -- about 50 businesses -- were hit, including many big name US banks and retailers.
According to a report published by The South China Morning Post, the breach appears to have compromised the names and online addresses of customers of many large companies in Hong Kong and on the mainland (China).
Epsilon has about 2,500 corporate customers worldwide and sends more than 40 billion e-mails annually. The report said that it has had operations in China for 10 years, with offices in Hong Kong, Guangzhou, Shanghai and Beijing. In the region, it has offices in Singapore, Sydney and Melbourne.
Asian customers in the dark?
"But so far affected companies in Hong Kong have yet to pass on the information to their customers," the paper reported. It further said in its report that according to a spokeswoman at Hong Kong's Office of the Privacy Commissioner for Personal Data, companies in the city "have no legal obligation to report a data breach".
According to SCMP, Rik Kirkland, senior managing editor at McKinsey, said in an electronic message sent to a Hong Kong subscriber of the McKinsey Quarterly: "We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information."
Computerworld Singapore tried to guage the reaction of some of Epsilon's customers in the region after the data breach incident became a hot story. One media company that uses Epsilon's email services declined to comment. Others are still busy preparing media statements. This is in contrast to many US companies that have already apologised to their customers and have made them aware of the possible spam and phishing attacks.
Epsilon's Asia Pacific website still does not have any specific announcement or advice on this breach.
"We seem to be in data breach season at the moment," said Andrew Kellett senior analyst, Ovum. "Last week it was RSA and this week Epsilon. The two of course are very different, but the commonality is that good organizations can be breached by a determined attacker."
"In the case of Epsilon the extent of the overall breach has not as yet been completely established, but is thought to be very large," he said. "On the positive side, from what we do know, the data that has been lost does not appear to be detailed enough to for example break into a person's bank account or steal their identity. However, exposing a very large number of email details and the associations of the individuals with specific organizations makes everyone affected vulnerable to targeted Phishing attacks. Therefore the advice to anyone in Asia or any other part of the world would be to be extra vigilant. Never respond to an email that asks for confidential information, and always ensure that you never pass on banking or other financial information to a requestor via the web. Your bank and trading partners know your details and should never ask you to confirm them."
Sign up for CIO Asia eNewsletters.