Epsilon Data Management LLC, a Dallas-based direct marketing firm serving scores of retail giants and banking customers, experienced a security breach of its email databases March 30. Armed with the names and email addresses of millions of customers from such household names as Citigroup, Capital One, JPMorgan Chase, Best Buy and Disney, fears arose that the hackers could launch targeted phishing attacks.
More compliance FAQs?
Get caught up on regulations and more with our
The incident spurred a frenzy of activity in Washington to enact better laws to protect consumer data online, and sparked a debate over whether email addresses should be deemed personally identifiable information. Get answers to frequently asked questions about the data breach below.
- What was the Epsilon security breach?
- What data was stolen in the breach, and what risks did it pose?
- How was the data breach accomplished?
- What was the cost of the breach to Epsilon and its business customers?
- What impact will the breach potentially have on email regulations?
Email databases run by Epsilon were hacked March 30, compromising the names and email addresses of millions of consumers who did business with Epsilon’s corporate clients. Epsilon, a Dallas-based subsidiary of Alliance Data Systems Inc., manages customer email accounts and provides email marketing services for many enterprises, including seven of the Fortune 10 companies. The company, which sends more than 40 billion emails a year, notified its clients of the breach April 1.
Epsilon breach shows lack of email regulations, consumer protection
The Epsilon data breach may have exposed thousands of customer email addresses to cybercriminals, highlighting the lack of corporate email security to protect consumers.
The email addresses and, in some cases, the names of Epsilon business clients' customers were stolen during the breach. It’s estimated that the information of tens of millions of consumers was compromised.
Epsilon reported that no personally identifiable information (PII) was stolen. (Most state data breach notification laws require companies to notify consumers only if PII has been breached.) However, medical information of some consumers may have been compromised, according to a report by The Wall Street Journal. Pharmaceutical giant GlaxoSmithKline PLC, one of Epsilon’s business clients, sent a letter to customers in mid-April alerting them that the stolen data may have included websites with which they had registered for drugs and other medical products, the newspaper reported April 18.
Individuals whose email information was stolen face the risk of becoming the targets of sophisticated phishing attacks. While highly sensitive data, such as Social Security numbers or financial information, reportedly was not stolen, the Epsilon breach showed that compromised names and email addresses pose a considerable threat. This less-sensitive information opens an avenue through which criminals can try to draw more valuable information out of unsuspecting email users. Consumers are likelier to be tricked into sharing financial information, for example, if those asking for it already know their names and email addresses.
How ignoring data security and privacy leads to compliance risks
HiSoftware chief technology officer Thomas Logan discusses under-the-radar -- but common -- data security and privacy lapses that cause compliance risks.
One of Epsilon’s email application administrators detected suspicious download activity in some email databases March 30, and then discovered that his or her log-in credentials had been compromised, Epsilon’s general counsel told U.S. lawmakers in a letter April 18. The attackers used those credentials to gain entry to the systems.
The U.S. Secret Service and FBI were called in to investigate the incident along with forensic consultants, but more than six weeks following the discovery of the breach, the root cause had not been disclosed.
It is possible that a virus may have been at the root of the breach, as indicated by Epsilon’s move to deploy additional virus scans of the compromised systems immediately following the discovery. The company worked with its antivirus support supplier to ascertain threat signatures as well, according to Epsilon’s general counsel.
Post-WikiLeaks computer security measures include hired hackers
Life imitates fiction as the WikiLeaks drama unfolds; an expert suggests that CIOs amp up computer security measures with hired hackers.
Epsilon and its parent company worked hard to downplay the cost of the breach to its customers and itself. The greatest risk, the company said in an April 6 press release, was the potential loss of clients. Others, however, estimate that the breach will ultimately cost billions of dollars.
Epsilon’s costs could reach $225 million, and its clients could end up footing a bill for another $412 million, according to analytics firm CyberFactors. Many of the company’s clients raced to develop new email marketing campaigns after canceling those that were in progress at the time of the breach. Once fines, litigation, lost business and forensic audits have been factored in, the incident could cost as much as $4 billion, CyberFactors predicted.
Sony announces service restoration, enhanced customer data protection
After a cyberattack put Sony's protection of personal information under a microscope, the company has announced increased security measures and enhanced customer data protection.
The Epsilon breach put on stark display the lack of regulation surrounding the protection of email addresses. Some experts suggested that the definition of personally identifiable information, which is protected under the laws of many states, could be expanded to include email addresses in light of the breach.
The financial services industry, which is especially prone to targeted phishing attacks, could be confronted with new guidance about how to handle email addresses. Phishing attacks masquerading as communications from national banks grew 11% from the last quarter of 2010 to the first quarter of this year, according to a report from security vendor Internet ID. The Federal Financial Institutions Examination Council, which issues recommendations on online authentication, could address email in its next update, according to some experts.
In the wake of the incident, lawmakers expressed growing alarm at the state of security of consumer data held by corporations. Epsilon officials were called to testify before the House Subcommittee on Commerce, Manufacturing and Trade May 4, but they declined the invitation. Lawmakers floated a variety of legislative proposals to enhance the protection of consumer data in the weeks following the breach, including national breach notification laws and do-not-track mechanisms.
Meanwhile, an organization that represents Epsilon and others in the direct marketing business tried to get ahead of the legislative and regulatory zeal and demonstrate better self-policing. In April, the Online Trust Alliance encouraged the industry to reclassify email lists as personal information. On April 20, the alliance unveiled the Security by Design Framework for email and other interactive messaging systems.
Get the answers to FAQs on email security policies.
Let us know what you think about this FAQ; email firstname.lastname@example.org.
This was first published in May 2011