The Epsilon Data Breach: Is Outsourced Data a Risk?

From what I read about the Epsilon breach, I have not been able to obtain any technical information on how the breach had occurred. The company has not disclosed anything beyond a very terse message that data has been lost. Most people, and the press & politicians, have been notified by affected 3rd party companies (the companies that shared customer email addresses with Epsilon).

Epsilon handles marketing campaigns for its customers: banks like Citibank and Chase, hotel chains like Hilton and Ritz Carlton, and 2500 others. As such, Epsilon has the email addresses of many of these merchants’ customers – and reportedly “2%” of this information was stolen by unknown parties. This blog lists 52 major corporations whose customers’ email addresses were stolen. Luckily, Epsilon does not hold credit card, bank account, or social security information, so it seems that there is no immediate threat to customers’ money or identity.

So what is the damage to the public at large: Knowing your email address in combination with the fact that you are a customer of bank X, can help attackers send you more convincing phishing email, and can lead to more serious problems. E.g., if you get an email from DodoBank suggesting that you login at the following link for a free offer, you probably won’t be lured to click on the link since you don’t work with DodoBank. But if you get a similar email from FrodoBank, that is in fact your bank, you may be more inclined to click on the link. In other words, having the stolen information may make phisher’s emails look more genuine, and may improve their success rate.

What is the damage to Epsilon’s customers: obviously they lose face, have to deal with the immediate costs of notifying their clients, and the regulators, and risk additional costs later on if the stolen information leads to a spike in successful fraud against their clients. These merchants are probably quite unhappy at this time. They should be asking some hard questions of Epsilon, to understand what security measures were taken before – and what new measures are taken now.

This type of attack should be a red flag to every corporation that stores its information on the “cloud”. If you store your sensitive information on a service-provider’s network, to a large extent you lose control of your data. Your data is at the mercy of the service-provider’s security practices. How do you know that your data is reasonably protected? How do you know that your data is even properly segregated from other corporation’s data? Note that in Epsilon’s case, data was not well segregated: the attackers were able to get email addresses of different corporations in one attack.

Bottom line: If you outsource your data – it’s probably wise to ask your service provider what they are doing to protect your data – and if they are not doing enough, demand that they improve!