Ok. That wasn’t the last update.

1. “They do everything bigger in Texas”: http://blog.eset.com/2011/04/12/they-do-everything-bigger-in-texas
2. “Plenty more (potential) phish in the C:\”: http://www.scmagazineus.com/plenty-more-potential-phish-in-the-c/article/200613/

And very possibly the last update here (the target blog suggests why…): Epsilon Overkill and the Security Ecology

Update 3: Rebecca Herson evaluates some of the advice given by Epsilon customers for coping with the phlurry of phish anticipated post-Epsilon: http://blog.commtouch.com/cafe/email-security-news/advice-after-the-epsilon-breach/

Links and a little extra irony from me: http://chainmailcheck.wordpress.com/2011/04/07/epsilon-epidemic/

Update 2: a discomfiting suggestion that there was a longstanding problem that Epsilon were actually aware of: http://www.itnews.com.au/News/253712,epsilon-breach-used-four-month-old-attack.aspx (hat tip to Kurt Wismer, again)

Update: a few more articles you might find worth reading.

1. http://blog.eset.com/2011/04/07/phishphloods-not-all-phishing-is-spear-phishing
2. http://www.smh.com.au/technology/security/dell-australia-customer-details-stolen-in-major-global-data-breach-20110407-1d4yd.html
3. http://www.databreaches.net/?p=17374
4. http://nakedsecurity.sophos.com/2011/04/04/epsilon-email-address-megaleak-hands-customers-customers-to-spammers/
5. http://www.scmagazineuk.com/epsilon-confirms-that-no-financial-data-was-breached-as-it-admits-that-the-potential-loss-of-clients-is-its-greatest-risk/article/200122/
6. http://www.scmagazineuk.com/if-your-outsourced-data-is-breached-where-does-the-responsibility-lie/article/200123/

It’s reasonable to assume that the Epsilon fiasco will lead to an epidemic: at any rate, luminaries such as Brian Krebs and Randy Abrams are making that assumption, and publishing some excellent proactive advice accordingly. So rather than go over the same ground, I’ll just cite some of the more useful blog posts around that.

Two highly relevant posts by Brian Krebs:

• http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
• http://krebsonsecurity.com/2011/04/after-epsilon-avoiding-phishing-scams-malware/

And two relevant posts by Randy:

• http://blog.eset.com/2011/04/04/how-to-avoid-a-phishing-attack
• http://blog.eset.com/2011/04/04/information-wants-to-be-free-so-epsilon-thinks

A list of companies known to have been affected from ThreatPost: http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511

And a characteristically to-the-point rant by Kurt Wismer on why it wouldn’t be an issue in a sane world: http://anti-virus-rants.blogspot.com/2011/04/why-epsilon-breach-shouldnt-be-issue.html

*Yes, a rather forced pun, I know. http://en.wikipedia.org/wiki/Status_epilepticus 

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow