Analysis of Epsilon's data breach and what you need to do...

Background

According to Epsilon, “On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

While Epsilon is not releasing a comprehensive list of clients affected, news sources indicate that at least some customers of Barclays Bank, Best Buy, JP Morgan Chase, Kroger, TiVo, & Walgreens have had their name and email address exposed to unauthorized personnel.

DBMT Interpretation

Since Epsilon is saying that the breach only involves name and email address, this appears to be a breach of security involving an email campaign database.   If the breach is limited to name and email, the impact may be increased SPAM or phishing. 

DBMT Recommendations

If you are a client of Epsilon, especially if your customer email database is hosted by them, DB Marketing Technologies recommends the following actions:

1.   Contact Epsilon and ask questions to determine the scope of the breach.  For example, “Is the breach limited to a specific database?”  “Are my customers in that database?”  “Was the breach limited to a subset of customers and if so, why was it limited?”  The challenge in these circumstances is that often the stated scope of a breach is limited to what has been confirmed.  However, knowing details around where the breach occurred can help determine the likelihood of additional unintentional disclosures.

2.   Perform a review/assessment of standard operating procedures with your Epsilon team to ensure that you have sufficient system and process protections in place to avoid security issues. Also, review your Epsilon Service Level Agreements to ensure that Epsilon’s approach towards addressing a breach, in the event it occurs, is acceptable to you and binds Epsilon contractually.

If you are not a client of Epsilon, but are concerned about how your marketing database service provider is securing your information and how they would respond to a breach, DB Marketing Technologies recommends the following:

1.   Perform a review/assessment of standard operating procedures with your marketing database service provider to ensure that you have sufficient system and process protections in place to avoid security issues. Also, review your Service Level Agreements to ensure that your marketing database service provider’s approach towards addressing a breach in the event it occurs is acceptable to you and binds your vendor contractually.

2.   Check out the following articles:
1. Eight tips to structuring better interface agreements...
2. Seven tell-tale signs your database is hurting you...