Experts: Epsilon Breach Could Impact Government Entities

The security breach at the marketing services firm Epsilon on March 30 exposed the names and e-mail addresses of customers from a variety of private businesses. But experts say government IT professionals should also be concerned about the intrusion, particularly smaller municipalities that may not have the latest virus and malware protections.

Common security issues such as using one password for personal and business accounts, not having at least two-factor authentication for access into important databases, and utilizing work e-mail in transactions with banks and other businesses can lead to phishing attacks and ultimately data theft.

“If a criminal finds your e-mail address and it is at a county government, they now know where you work and then can go on the Internet and find businesses that you work with to craft a really targeted phishing message,” said Steve Dispensa, chief technology officer and co-founder of PhoneFactor Inc., a provider of phone-based, two-factor authentication services.

In addition, government employees and users that may be affected by the Epsilon breach might not be receiving the warning messages that individual companies that have utilized Epsilon are sending to customers. So people may think they are not at risk for any increased phishing activities, when in fact they are.

According to Joseph Wulffenstein, division chair of quantitative studies and department chair of management information systems at Northwood University in Midland, Mich., many municipal governments outsource their e-mail services to outside organizations. These organizations could have used Epsilon for marketing purposes, further exposing educational and governmental employees.

“I use my .edu account for financial transactions with Northwood University, so that account is also probably compromised with the same banks and financial institutions,” Wulffenstein said. “So it is not just personal individuals that are compromised. It is [people] using their government e-mails to do transactions.”

If an employee falls for the phishing scam and provides information such as a password or personal identification number when replying, it creates a window of infiltration that could potentially expose sensitive data.

While many people are aware of phishing scams, Dispensa warns that criminals are coming up with much better messaging and the risk of a network getting infected with malware is very real.

“Imagine a city of 5,000 people and [the city’s] level of data security sophistication,” he said. “Are their users really getting regular training, and [are their computers receiving the latest] virus and security patches? Are they running strong enough authentication? All these are present in the most sophisticated places, but maybe not in smaller local governments.”

Wulffenstein, who said he had previously worked for a government organization IT staff earlier in his career, agreed, saying that those who work in government are somewhat buffered from these issues.

“What I noticed is that people working in smaller municipalities and local governments rely on their IT staff to worry about [network security] for them,” Wulffenstein said. “And staff seldom has any training sessions with the users to show them the things they need to be aware of.”

Steps to Increase Security

In an era where cyber-attacks continue to expand and government budgets are shrinking, Wulffenstein admitted that while hiring IT personnel to focus directly on network security would be helpful, it likely isn’t practical. Instead, Dispensa and Wulffenstein recommended a number of tips that governments could take to shore-up their security measures:

• Use two-factor authentication — a password alone isn’t good enough.
• Continue to encourage employees to use different passwords for home and work use.
• Run enterprising anti-virus software that allows confirmation that everyone on a staff is running protective software.
• Use firewall management software to make sure firewalls are active and all computer operating systems are fully patched.
• Make sure IT is fully versed on what is happening regarding e-mail phishing and breaches.
• IT staff needs to inform and train end-users on phishing, malware and social engineering attacks.

“The basics are really important. Running a system to strengthen your authentication [can] go a long way to prevent phishing attacks and the type of damage the Epsilon breach may cause,” Dispensa added.