Townsend Security Data Privacy Blog

Epsilon Data Breach - More Serious Than You Think

Posted by Patrick Townsend on May 17, 2011 12:00:00 AM

epsilon breachI found the data breach of Epsilon just shocking for several reasons:

First, the scope of the breach was astounding. About 2,500 companies are using Epsilon for email communications with their customers, and some of these companies are quite large. Thus the number of email addresses exposed was gigantic. You really have to wonder why those email addresses weren’t encrypted. Anyone would see those email addresses as a high value target. And email addresses are Personally Identifiable Information (PII), after all.

Second, you have to wonder why really large companies trusted Epsilon with their customer information without insisting on good data protection practices.  What were they thinking? When you hand over your data to an outside company, you aren’t off the hook if there is a data loss.  It wasn’t Epsilon who had to send emails and letters to customers. The originating companies bear the cost of that effort, and the business damage that follows.

Third, the loss of an email address is not trivial. It’s true that email addresses are more public than many bits of personal information we have. But email addresses are often used as account identifiers for on-line services. If I have your account ID it is a lot easier to attack your password credential. People are amazing lax about creating strong passwords. So the loss of emails provides one more weak link in the chain of security for individuals.

Then there are the phishing attacks. If I have your email address it is a lot easier to send you an infected PDF file. I just look on your company’s web site or Facebook page and find the name of your CEO. Then I send you an email with the CEO’s name and an infected PDF. Perhaps I name the PDF “Look at these terrible results!.pdf”. You are probably going to jump to open that one!  So now I have invaded your internal network.

You can see how this can really escalate to bad news for you and your organization.

The lesson for any organization is to do some due diligence with your service providers. Be sure they are protecting your information with the same level of care that you do. After all, you are on the hook if they lose your data.  For more information, download our white paper titled AES encryption and Related Concepts.


Click me

Topics: Encryption, Phishing, Data Breach, Personally Identifiable Information (PII)