I'll see your Epsilon mail addresses and raise you 3 1/2 million Texans' personal records.

While the Epsilon leak got an excessive amount of media attention, given its limited potential for phishing (let alone spear phishing), it seems bizarre that there hasn't been much more attention paid to the exposure of all those employment/retirement records exposed for, reportedly, nearly a year. I wouldn't want to write off the pairing of names and email addresses as trivial, but when the potentially misused data also include (in some cases, at least) street addresses, Social Security Numbers, dates of birth and drivers' licence numbers, we're talking about an identity theft treasure trove, and certainly some serious potential spear phishing. Sitting on a public-facing server for a year, unencrypted,

Here in the UK, we've seen some major disasters in the public sector where data have gone astray: in fact, such issues probably contributed to the fall of the Labour government last year. So far, there seem to be no known instances of the exposed data being exploited. How many heads will roll in Texas if such evidence starts to appear, though? Well, I guess that depends partly on whether the media start to take more of an interest.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow