Home  › Email › Email Marketing

Epsilon's Security Breach Exposes Troubling Trend

  |  April 5, 2011   |  Comments

Hackers intensify attacks on service providers in recent months, seeking to steal customer email addresses and more.

"Important message from Target," read the subject line of the email sent to Target customers Monday. "Target's email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party," the message stated.

Notes like these were delivered to an undisclosed number customers of an estimated 50 companies, including Target, Chase, Marriott, Walgreens, and Capitol One over the past four days after their email service provider, Epsilon, disclosed that an intruder had accessed its email records.

Epsilon said only email addresses were exposed and not information such as credit card numbers, Social Security numbers, or customer names. Epsilon also said the breach affected 2 percent of its clients.

However, the affected businesses warned their customers to avoid phishing attacks designed to trick them into providing personal information, passwords, and other sensitive information to hackers who may now have access to their email addresses.

Craig Spiezle, executive director at the Online Trust Alliance, said he could not comment specifically about the Epsilon breach. However, he said it represents one of several incidents that could erode public trust in service providers. (The alliance is an industry group that works on behalf of its members to improve trust in e-commerce and other digital services; Epsilon is listed as a member.)

The Epsilon incident, he said, "underscores the importance that we must increase investment in security measures. They are not the first ESP and they probably won't be the last (to be hacked)," he said.

Advances in email filtering offer some safeguards against fraudsters. "Just having a [customer email] list alone does not mean you can contact a person," Spiezle said. "The ISPs have mechanisms to detect spam. They can look at an IP address to determine if mail is authentic."

What's especially troublesome, he said, is the velocity and sophistication of attacks against service providers - and not just email service providers.

Consider these recent incidents:

- Silverpop, a digital marketing services company, disclosed in December that it was one of several technology providers that were targeted as part of a cyber attack. CEO Bill Nussey, in a blog post, said a quick decision to reset customer passwords halted the attack. "Third-party experts have confirmed that the attack was particularly sophisticated and we are working with customers and industry peers to share what we have learned," Nussey wrote.

- RSA Security, which develops software and hardware to protect computer networks, said last month that a cyber attacker had stolen information that could potentially reduce the effectiveness of its SecurID two-factor authentication products.

- A hacker tricked Comodo, the developer of anti-virus software, into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other websites, according to a CNET report.

Spiezle's advice for businesses? "If you are collecting data, you have to assume you will lose it," he said. Businesses must ask: What are you doing to minimize access and collection of data? What are you doing to detect intrusions and remediate breaches? "That's a business mindset you have to have. You have to be prepared for the worst," he said.

One indication of the size of the exposure: "Epsilon" emerged as a trending topic on Twitter last night as people tweeted and retweeted about the breach. "May need to create a filter just for notifications about Epsilon's email breach," tweeted Doug Bowman, aka @stop.

Other people expressed surprise over the fact that a company they never heard of had access to their information.

"Who is Epsilon & why was my data exposed to unauthorized entry... Hate when my junk is violated without my consent," tweeted AJ Karim, aka @ajkarim.

ClickZ Live Chicago Learn Digital Marketing Insights From Leading Brands!
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda, or register and attend one of the best ClickZ events yet!

ABOUT THE AUTHOR

Anna Maria Virzi

Anna Maria Virzi, ClickZ's executive editor from 2007 until 2012, covered Internet business and technology since 1996. She was on the launch team for Ziff Davis Media's Baseline and also worked at Forbes.com, Web Week, Internet World, and the Connecticut Post.

COMMENTSCommenting policy

comments powered by Disqus

Get ClickZ Email newsletters delivered right to your inbox. Subscribe today!

COMMENTS

UPCOMING EVENTS

UPCOMING TRAINING

Featured White Papers

Google My Business Listings Demystified

Google My Business Listings Demystified
To help brands control how they appear online, Google has developed a new offering: Google My Business Locations. This whitepaper helps marketers understand how to use this powerful new tool.

5 Ways to Personalize Beyond the Subject Line

5 Ways to Personalize Beyond the Subject Line
82 percent of shoppers say they would buy more items from a brand if the emails they sent were more personalized. This white paper offer five tactics that will personalize your email beyond the subject line and drive real business growth.

WEBINARS

Jobs