The Epsilon breach, covered extensively on DataBreaches.net, just got worse.
Yesterday, 12 days after they were notified of the breach by Epsilon, GlaxoSmithKline sent out notifications. Emphasis added by me, below:
From: “firstname.lastname@example.org” <email@example.com>
Date: April 16, 2011 1:30:36 PM EDT
Subject: An Important Message from GSK Consumer Healthcare
Dear GlaxoSmithKline Consumer Healthcare Customer:
On April 4, 2011, we were informed by Epsilon, a company we have used to manage email communications on our product websites, that files containing the email addresses of some of our consumers were accessed by an unauthorized third party. You are receiving this message because you have registered on one of our product websites. For a list of our products, please visit our website, http://us.gsk.com/.
The information accessed included email addresses and first and last names. The file from which your name and email address were accessed may have identified the product website on which you registered. We take your privacy seriously and want you to be aware of this situation so that you can remain alert to any unusual or suspicious emails.
One of the primary concerns arising from a breach of this nature is that your information may be used to generate fraudulent email messages that may appear legitimate but are intended to gather confidential information that you would not otherwise reveal.
GlaxoSmithKline Consumer Healthcare will never ask you to provide or confirm any personal information in emails. Do not respond in any way to emails that appear to be coming from GlaxoSmithKline Consumer Healthcare that ask for personal information. If you receive an email requesting this information, you should delete it even if it appears to be legitimate. Any unusual or suspicious emails should be deleted without opening.
We also encourage you to take this opportunity to strengthen your passwords on any of your online accounts, particularly those that use the email address impacted by this breach as an account ID, to ensure your ongoing security. Additional information about protecting your personal information online is available at the Federal Trade Commission’s OnGuard Online website.
GlaxoSmithKline Consumer Healthcare values your privacy and will continue to work to ensure it is protected. We apologize if you receive more than one copy of this message as we are working diligently to ensure you are aware of this situation. If you have unsubscribed from our emails in the past, there is no need to unsubscribe again. Your preferences will remain in place.
If you have any questions about this communication, please feel free to contact one of our knowledgeable consumer relations representatives at 1-800-245-1040.
GlaxoSmithKline Consumer Healthcare
This email was sent to you by GlaxoSmithKlne based on a past or present relationship with us or one of our brands. You may receive consumer notifications even if you have unsubscribed from our product promotional email.
A list of their pharmaceutical products can be found on this page of their web site.
According to the recipient who sent it to my blog, she has never signed up with them for anything, has no idea why they have her email address, and does not and has never used any of the listed products. She will be contacting them to ask how and when they obtained her email address, but this now adds another piece of information that can be used by spear-phishers, who now have names, email addresses, and the name of a medication that may have been taken.
This is not good. Not good at all.
Update: According to a commenter on Brian Kreb’s blog:
I rec’d an identical email to Mr. Mann’s above. I contacted Glaxo and they confirmed the email was from them and was associated with the Epsilon breach. They also said the most likely way they had a person’s email was thru prescription orders but could also be thru registering for coupons and other products.
So inclusion on the list does not mean that the name is definitely associated with a prescription medication, but if the entry does indicate the product name, then there is a greater risk of a privacy violation or targeted phishing.