Prior to April Fools’ Day, 2011, you probably had never heard of Epsilon Data Management, right? I’d wager, however, that this email marketing firm has heard of you. In excess of 250 million email account names were pirated from the marketing services firm, vaulting this to what may be the largest breach of personal information in U.S. history.
Epsilon is the company behind the high-profile leak of data belonging to some of the best-known and most respected brands in the world, including Best Buy, Capital One, Citigroup, Disney, Home Depot, Target, TiVo, Verizon, Visa and Walgreens … just to name the tip of this iceberg. If you have ever interacted with any of these brands, chances are your name and personal information was among the data stolen.
You might be asking yourself, “Why would Epsilon have my personal information?’” Companies frequently trust other enterprises to perform services in support of their business – in the case of Epsilon, marketing services. Unfortunately, many companies do not take security seriously enough. In fact, a recent study conducted by the U.S Secret Service concluded that 79 percent of victims subject to Payment Card Industry Data Security Standard (aka PCI DSS) had not achieved compliance. The study also concluded that “48 percent of breaches were caused by insiders,” which means employees and trusted business partners like Epsilon.
Prior to doing business with a company to whom sensitive data is released, the Chief Information Security Officer should always conduct a thorough examination of security controls and overall security posture – especially when client information is at risk. My company’s reputation and my customer’s well-being are paramount and I don’t take that lightly.
If you are going to entrust sensitive data to a partner, you need to be asking questions like, “Do my service providers verify the security of their applications during installation or during my support cycles?” Have you considered that “Without security, my business is at stake and does my application providers take that seriously?”
Email addresses associated with these many company’s fortunately is the only information harvested by the criminals. The real problem for the people who the addresses belong to are just beginning and they will no doubt be targeted through email for information that will help the criminals steal their identities and create financial havoc.
Something else to remember is that legitimate companies will never ask you for personal information like social security numbers or credit card numbers in email. They should also never link you to their web sites for the same purpose through email. If a company you deal with actually does this, find someone else to do business with.