Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Gone ‘Phishin: Don't Be A Victim

Posted by Adam Kleinerman on Jun 29, 2012 6:49:00 AM

In May 2012, the Commodity Futures Trading Commission (CFTC) was the victim of a fairly high profile security breach. The breach occurred when a CFTC employee opened a suspicious email that turned out to be part of a “phishing” scheme. Phishing is a type of cyber crime where a hacker, posing as a legitimate company, gains access to a user’s private information when that user opens the fake email.

These emails often appear to be messages from large, well-known organizations that you may or may not be affiliated with or a customer of, such as cellular service providers, banks, or insurance agencies. The messages often contain fake bill statements with requests for payment, or requests for password or address changes. Once a user clicks on the email or the links provided in the email, the hacker gains access to personal information that can then be used for identity theft and other kinds of fraud.

In an official statement by the CFTC, chief information officer John Rogers revealed that the personal information stolen by the phishing scheme was largely social security numbers. However, Rogers asserted that CFTC operations would not be affected by damages due to the breach. This is, in general, is true for large organizations and corporations who can often afford to absorb the high cost of these setbacks. Rarely will these breaches affect them in the long run. Smaller and mid-sized organizations, on the other hand, often have difficulty rebounding from data breaches and are always at a greater risk to phishing schemes and other types of data loss.

Here at Townsend Security we recommend to everyone who has a personal or work email to take care that they are sending and receiving messages from reliable sources. Red flags to look for include emails with offers that seem “too good to be true”, receiving a bill you don’t expect, unsolicited offers from any organization, or requests to change any type of personal information through a link provided in the email.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Click me

Topics: Phishing, Data Privacy

Epsilon Data Breach - More Serious Than You Think

Posted by Patrick Townsend on May 17, 2011 12:00:00 AM

epsilon breachI found the data breach of Epsilon just shocking for several reasons:

First, the scope of the breach was astounding. About 2,500 companies are using Epsilon for email communications with their customers, and some of these companies are quite large. Thus the number of email addresses exposed was gigantic. You really have to wonder why those email addresses weren’t encrypted. Anyone would see those email addresses as a high value target. And email addresses are Personally Identifiable Information (PII), after all.

Second, you have to wonder why really large companies trusted Epsilon with their customer information without insisting on good data protection practices.  What were they thinking? When you hand over your data to an outside company, you aren’t off the hook if there is a data loss.  It wasn’t Epsilon who had to send emails and letters to customers. The originating companies bear the cost of that effort, and the business damage that follows.

Third, the loss of an email address is not trivial. It’s true that email addresses are more public than many bits of personal information we have. But email addresses are often used as account identifiers for on-line services. If I have your account ID it is a lot easier to attack your password credential. People are amazing lax about creating strong passwords. So the loss of emails provides one more weak link in the chain of security for individuals.

Then there are the phishing attacks. If I have your email address it is a lot easier to send you an infected PDF file. I just look on your company’s web site or Facebook page and find the name of your CEO. Then I send you an email with the CEO’s name and an infected PDF. Perhaps I name the PDF “Look at these terrible results!.pdf”. You are probably going to jump to open that one!  So now I have invaded your internal network.

You can see how this can really escalate to bad news for you and your organization.

The lesson for any organization is to do some due diligence with your service providers. Be sure they are protecting your information with the same level of care that you do. After all, you are on the hook if they lose your data.  For more information, download our white paper titled AES encryption and Related Concepts.


Click me

Topics: Encryption, Phishing, Data Breach, Personally Identifiable Information (PII)

The Definitive Guide to AWS Encryption Key Management
Definitive Guide to VMware Encryption & Key Management


Recent Posts

Posts by Topic

see all