Epsilon’s Data Breach: Be Careful Out There
On April 1 (yes, April Fools’ Day), Epsilon, one of the premier permission email marketing companies, announced the following:
“On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”
What exactly is permission email marketing? Essentially, it’s what happens when you, as a loyal customer of say a store, receive an email announcing a store deal or a special offer like buy two get one free, you get the picture. Now, you may have thought this had nothing to do with you until you received emails from some of the companies that you gave your email address to so that they could “tell you” about whatever promotions they were running. Most likely, you received a number of emails from a number of different stores and banks warning about a data breach and telling you to be careful.
Now I bet you are wondering how Epsilon got your information because you’ve never heard of them before. So here are a few facts you need to know:
- Epsilon works for more than 2500 brands and sends more than 40 billion emails a year on their behalf (that’s how they got your information).
- Epsilon builds and hosts customer databases for these brands (these are the databases that were hacked).
- Epsilon’s customers include grocery stores, banks, retailers, and hotels (that’s why you probably got multiple emails notifying you of a data breach from all of the places that you gave your email to).
Okay, before I get into specifics about the growing number of companies that were breached as well as the fact that this might be the largest data breach in history with more than a million consumer records at risk, I want to talk briefly about Epsilon. This is no “fly by night” organization. It is a reputable firm, and is considered by many to be the best in the business. That’s why all these companies use them for email marketing. That being said, it is not clear that Epsilon protected this data adequately. Neil Schwartzman, founder and chief security specialist at Montreal-based CASL Consulting put it this way:
“Some of the most fundamental steps of protecting consumer data were not taken here.”
If that’s the case, the company should be, as Schwartzman said, “Held to the flames for not adequately protecting sensitive consumer information.” As a marketer, I can only tell you that if I worked for any of the brands that were breached I would be banging my head on a table and meeting with my data security team to put a process in place that would review data security measures whenever and wherever I shared my customer information. What I am trying to say is this: most companies who collect and use consumers’ information are rigorous about protecting it. At PatternBuilders, we work with a number of retailers, analyzing their data to better understand buying behavior and what drives it. Their paramount concern is the same as ours: keeping that data in a secure environment to prevent breaches.
Okay, who is on the list for a possible breach? Well, as of today it includes: Kroger, TiVo, Marriott Rewards, Ritz-Carlton Rewards, US Bank, JPMorgan Chase, Capital One, Citi, McKinsey & Company, New York & Company, Brookstone, and Walgreens. SecurityWeek has what appears to be the most exhaustive list but as I said before, the list of companies affected seems to grow by the hour.
Why should you be worried if it’s only your email and name that was potentially hacked? Well, although Epsilon states that no other “personal identifiable information” was taken, that fact that hackers now have lists of names and emails that are associated with a specific company opens all of us to lots of potential spam email (a relatively benign consequence) or phishing attacks (potentially far more harmful in terms of identity theft). Now, in a previous post on passwords and security I reminded everyone that if you are successfully phished (where your personal information is acquired by someone acting as a trusted source) and you happen to use the same password on multiple accounts, you expose yourself to even more potential harm.
I suspect that we have all been the subject of phishing attempts and know enough not to click on attached files or go to the hyperlinked websites in the email we receive. Usually, those attempts come from what we call unknown sources—we do not have a relationship with the source so we are far more careful in how we deal with that email. However, in this case the attempt will come from a trusted source. For example, I could receive an email from Chase that looks just like the emails that I received previously from Chase and so I get “conned” into clicking on the email link to Chase, go to what looks like Chase’s website, and then enter my username and password. And just like that, the hacker has access to my Chase account. My number one rule to prevent this from happening: never, ever click on an email hyperlink to your accounts. Instead, use your browser and go to the account as you normally would. That way you ensure that you are on the real website.
How can you prevent a phishing attempt from being carried through? Well, I’ve received a number of forwarded emails this weekend from friends and family about data breach warnings from various companies. The best one (IMHO) came from Chase and I am sure that they won’t mind me quoting them directly:
- Don’t give your User ID or password in e-mail.
- Don’t respond to emails that require you to enter personal information directly into the email.
- Don’t respond to emails threatening to close your account if you do not take the immediate action of providing personal information.
- Don’t reply to emails asking you to send personal information.
- Don’t use your email address as a login ID or password.
Think of these as rules to email by—really, if you abide by these rules all the time the odds of falling prey to a phishing attack are very low.
Finally, keep in mind that this hacked information could be bought and sold hundreds or thousands of times. Translation: there may be a lot of phishing attempts coming your way and they could happen today, next week, next month, six months, or even a year from now. So be careful out there!