With the Epsilon breach announcement of last Friday, it seems every merchant under the sun is notifying their customers of the expected onslaught of electronic mail messages asking for bank account and credit card numbers among other personally identifiable information (PII). Just in the last two days, I have received at least a half a dozen messages informing me of this possibility.
The result of this breach is likely to be the best spear phishing attack we have seen to date. These phishing attacks will likely be highly targeted since the people that took the information from Epsilon know not only your name and email address, but also the merchant that the email address belonged. While Epsilon states that only names and email addresses were taken, I would also think that all sorts of demographic information necessary to make these attacks very focused was also obtained. That will mean the percentage of people responding to them will likely be higher than usual because of the level of detail that the attacks will be able to rely upon for targeting. As a result, a lot of credit card numbers will likely get exposed.
So let us be prepared. Even though you send out messages to your potentially affected customer base warning them of this possibility, there will likely be a lot of your customers that will end up getting caught in whatever scams get dreamed up. Therefore you probably need to get your legal counsel up to speed as Epsilon and your company will likely end up embroiled in lawsuits regardless of the amount of warnings you issued.