Last week's data breach at Epsilon, a third-party company that handles customer email messaging for 150 firms, has led to a call for increased corporate email security and monitoring of email technology.
Irving, Texas-based Epsilon Data Management LLC handles customer email for large banks and retailers including Best Buy, JPMorgan Chase, Citigroup and L.L. Bean. Epsilon announced April 1 in a statement that a breach may have exposed the names and email addresses of thousands of people.
The attack raises concerns about cybercriminals launching targeted phishing attacks at consumers, with the compromised information being used to look like it’s coming from a legitimate source. But Steve Dispensa, chief technology officer and co-founder of authentication solutions provider PhoneFactor Inc., said phishing isn’t the only issue with which organizations need to be concerned.
"We can expect not only an increase in targeted phishing emails, but also other man-in-the-middle, malware and any other sort of attacks," Dispensa said.
Epsilon released an update this week saying "rigorous internal and external reviews confirmed that only email addresses and/or names were compromised” by the breach. But customer email addresses could be enough for savvy cybercriminals, experts say.
"This collection could be a treasure trove for cyberattackers, who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses," said Joris Evers, director of worldwide public relations at McAfee Inc.
The availability of personally identifiable information (PII) should make customers of those companies affected by the breach on the alert for email scams, Evers said.
The breach could serve as a wakeup call to the lack of regulations surrounding the availability of customers' email addresses. Avivah Litan, a vice president and analyst at Gartner Inc., wrote in a blog post that the Epsilon breach highlights the risks of outsourcing what can be a "seemingly low risk" application such as email. She also pointed to the lack of standards and enforcement for protecting PII.
This collection could be a treasure trove for cyberattackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses.
Joris Evers, director of worldwide public relations, McAfee Inc.
"There is no private-sector constituency that owns PII data, like there is when it comes to protecting payment card data, i.e., the banks and card companies, who brought us PCI," Litan wrote in the blog. "This is an area where more government guidelines and rules are increasingly needed, in my opinion."
Another question is whether the breach will alter public confidence in corporate email security policies and influence future compliance regulations surrounding PII. Will federal authorities see the breach as an opportunity to implement more cybersecurity legislation to protect consumers' private information? Will customers start examining corporate email security policies and pay closer attention to their history of adherence to IT compliance before making their information available?
Companies did the right thing by being transparent about the breach with customers, experts say. Customers need to be aware of the threat to be vigilant about protecting their information.
Dispensa said that shortly after the breach was made public customers, himself included, received several emails warning them of the breach. But consumer confidence could still take a hit, he said.
"The emails weren't sent by Epsilon; they came from the companies I do business with," Dispensa said. "These companies are the ones who are taking the hit in terms of customer trust."
The breach could also make companies realize that the corporate email security protocols they do have in place may not be enough. At least, that’s the case at Epsilon, as it works to protect itself from another breach. The company is working with federal authorities, as well as other outside forensics experts, to investigate the breach and consider additional security safeguards, according to an Epsilon statement.
"Within Epsilon, security protocols controlling access to the system have undergone a rigorous review, and access has been further restricted as the ongoing investigation continues," Epsilon officials said in the statement.
Let us know what you think about the story; email Ben Cole, Associate Editor.