The theft of email addresses from Epsilon could affect consumer trust, and organizations have to reassess the risks of outsourcing less sensitive data and processes.
As email-marketing company
Epsilon continues to deal with the fallout related to the revelation that some
of its clients' customer data has been exposed to a third-party, it becomes
clear that this incident affects all service providers as organizations renew their
focus on data security. In addition, this latest data breach calls into
question how secure information is within a cloud-computing infrastructure.
Epsilon reported April 1
that it detected an "unauthorized
" into its email system and discovered that email addresses and names
belonging to a "subset" of its clients had been exposed to attackers.
The company estimated that
the attack affected 2 percent of its approximately 2,500 clients. Despite the size of the breach, some
affected companies and customers have taken heart in the fact that the stolen
data included "only" email addresses, as opposed to personally
identifiable information, such as social security numbers.
Still, it means customers
are in for more spam
, and that leads to questions about whether people can
trust something as simple as an email address to a retail store or hotel chain.
"Any company that is
privileged to manage the information that a company maintains about its
customers should be paying attention," said Dave Frankland, principal analyst
at Forrester Research.
Most of the individuals
receiving notification emails about the breach have never heard of Epsilon. The
data loss doesn't affect their perception of Epsilon. However, the breach has
affected customers' relationships to the name-brand banks, travel companies or
retail outlets that have had to send out notifications that email addresses
have been compromised, said Frankland.
"Customers will surely start
to wonder if they can't trust these firms with their email addresses. [They ask
themselves if it's] really that smart to trust them with their credit card
data, or with their mortgage," Frankland said.
The resulting loss of trust
and consumers' perception that companies shouldn't have outsourced even the
"innocuous" data may force organizations to reassess their marketing strategy.
The kind of targeted marketing that Epsilon and similar firms do, such as
marketing a mink coat to consumers in Ohio but not to Miami residents, is often
beyond the organization's capabilities. But now organizations have to recognize
the risks to the brand and consumer trust by continuing to work with an
external marketing provider, Frankland said.
The Epsilon episode raises
additional concerns about how secure any data is within a cloud-computing
infrastructure, especially as the technology becomes more mainstream.
Cloud adoption, while
strong, has been hampered somewhat with concerns about data security in a
multi-tenant deployment, and the Epsilon breach brought those concerns back to
the forefront. A single system, when broken into, gives the perpetrator
potential access to a wealth of data, Frankland said.
Marketing providers are
"always keenly aware" of the "vulnerability present" in a single platform where
many clients share a common email-sending platform for list-management, email-campaign
development, deployment and reporting, said Al DiGuido, CEO of Zeta Interactive
and the former CEO of Epsilon.
Email Service Providers, or
ESPs, took "extensive measures" to manage the "unique challenges" inherent in a
shared environment, DiGuido told eWEEK.
Data security is a constant
discussion point within every ESP, with "an incredible focus on tools, policies
and monitoring technologies" to prevent unauthorized access to the email-sending
infrastructure, DiGuido said. For example, it's an industry best practice that
personally identifiable information is never comingled with marketing data, so
attackers can't connect the two pieces of data, he said. Random security audits
are performed to check for potential attack entry points. Each client's
information is also partitioned to keep the data separate and secured
From an "outsider position,"
DiGuido thought it likely the attackers somehow compromised the application layer
access codes, which tricked the application into thinking the intruder was
authorized to interact with the system and databases. The partitions that
separated individual clients from each other must have also been compromised,"
"It's unclear as to how this
could have been accomplished without having access to numerous client-specific
access codes," said DiGuido.
While much of the focus has
been on how to avoid future attacks, the risk to retailers and other
organizations is "enormous," Nicholas J. Percoco, senior vice president and
head of Trustwave's SpiderLabs, told eWEEK. "Blaming subcontractors managing
the email system doesn't address the central problem of preventing similar
attacks in future," Percoco said.
DiGuido said it was the ESPs'
responsibility to work with peers to figure out collective ways to defend
against these types of targeted attacks.