Two weeks after the data breach, drug company Glaxo Smith Kline finally got around to notifying their clients, people registered at various 'product' websites, that their data was stolen. Along with your email address and name, the criminals now know which prescription drugs you may take. This makes spear-phishing attempts even more serious, falling for one of these may endanger your health should you buy fake drugs.
"The information accessed included email addresses and first and last names. The file from which your name and email address were accessed may have identified the product website on which you registered."
The company suggests you visit their website to see the full list of drugs they sell, but incredibly, a link to the list doesn't exist there, nor does a copy of the email they sent to end-users.
UPDATE: PHIprivacy has posted another copy of the GSK email (sent to someone who has no idea why she received a warning), and a list of drugs they sell.
CAUCE can't overstate the seriousness of this latest turn of events.
In other news, Websense noted late Friday that there is spam going out pretending to be Epsilon notifying consumers of new information about the breach. Clicking through a link on the very professional-looking payload website installs malware (a trojan) called 'Epsilon Secure Connect Tool' (epsilonsecureconnect.exe) on the victim's computer.
There is no indication if this spam campaign was a spear-phishing run, meaning a spam campaign aimed only at those people whose email addresses Epsilon lost in the breach, or if it was more widespread. More details on the attack can be found at The Tech Herald website (the malware is hosted by a company called Pugmarks.com, in Napierville, Illinois).
CAUCE's advice to consumers remains the same: Change your email address immediately! There is more information at:
Facts & Tips for Consumers about the Epsilon Breach
Was your Email lost by Epsilon? Change your Address!
