Epsilon Data Breach Highlights Cloud-Computing Security Concerns

The theft of email addresses from Epsilon could affect consumer trust, and organizations have to reassess the risks of outsourcing less sensitive data and processes.

As email-marketing company Epsilon continues to deal with the fallout related to the revelation that some of its clients' customer data has been exposed to a third-party, it becomes clear that this incident affects all service providers as organizations renew their focus on data security. In addition, this latest data breach calls into question how secure information is within a cloud-computing infrastructure.

Epsilon reported April 1 that it detected an "unauthorized entry" into its email system and discovered that email addresses and names belonging to a "subset" of its clients had been exposed to attackers.

The company estimated that the attack affected 2 percent of its approximately 2,500 clients. Despite the size of the breach, some affected companies and customers have taken heart in the fact that the stolen data included "only" email addresses, as opposed to personally identifiable information, such as social security numbers.

Still, it means customers are in for more spam, and that leads to questions about whether people can trust something as simple as an email address to a retail store or hotel chain.

"Any company that is privileged to manage the information that a company maintains about its customers should be paying attention," said Dave Frankland, principal analyst at Forrester Research.

Most of the individuals receiving notification emails about the breach have never heard of Epsilon. The data loss doesn't affect their perception of Epsilon. However, the breach has affected customers' relationships to the name-brand banks, travel companies or retail outlets that have had to send out notifications that email addresses have been compromised, said Frankland.

"Customers will surely start to wonder if they can't trust these firms with their email addresses. [They ask themselves if it's] really that smart to trust them with their credit card data, or with their mortgage," Frankland said.

The resulting loss of trust and consumers' perception that companies shouldn't have outsourced even the "innocuous" data may force organizations to reassess their marketing strategy. The kind of targeted marketing that Epsilon and similar firms do, such as marketing a mink coat to consumers in Ohio but not to Miami residents, is often beyond the organization's capabilities. But now organizations have to recognize the risks to the brand and consumer trust by continuing to work with an external marketing provider, Frankland said.

The Epsilon episode raises additional concerns about how secure any data is within a cloud-computing infrastructure, especially as the technology becomes more mainstream.

Cloud adoption, while strong, has been hampered somewhat with concerns about data security in a multi-tenant deployment, and the Epsilon breach brought those concerns back to the forefront. A single system, when broken into, gives the perpetrator potential access to a wealth of data, Frankland said.

Marketing providers are "always keenly aware" of the "vulnerability present" in a single platform where many clients share a common email-sending platform for list-management, email-campaign development, deployment and reporting, said Al DiGuido, CEO of Zeta Interactive and the former CEO of Epsilon.

Email Service Providers, or ESPs, took "extensive measures" to manage the "unique challenges" inherent in a shared environment, DiGuido told eWEEK.

Data security is a constant discussion point within every ESP, with "an incredible focus on tools, policies and monitoring technologies" to prevent unauthorized access to the email-sending infrastructure, DiGuido said. For example, it's an industry best practice that personally identifiable information is never comingled with marketing data, so attackers can't connect the two pieces of data, he said. Random security audits are performed to check for potential attack entry points. Each client's information is also partitioned to keep the data separate and secured independently.

From an "outsider position," DiGuido thought it likely the attackers somehow compromised the application layer access codes, which tricked the application into thinking the intruder was authorized to interact with the system and databases. The partitions that separated individual clients from each other must have also been compromised," he said.

"It's unclear as to how this could have been accomplished without having access to numerous client-specific access codes," said DiGuido.

While much of the focus has been on how to avoid future attacks, the risk to retailers and other organizations is "enormous," Nicholas J. Percoco, senior vice president and head of Trustwave's SpiderLabs, told eWEEK. "Blaming subcontractors managing the email system doesn't address the central problem of preventing similar attacks in future," Percoco said.

DiGuido said it was the ESPs' responsibility to work with peers to figure out collective ways to defend against these types of targeted attacks.