Epsilon breach: When should almost public info be private?

A press feeding frenzy followed the somewhat vague April Fools Day announcement by Epsilon Data Management that someone had hacked into its systems and stolen a bunch of email addresses. The addresses were of people who had "opted in" for email marketing by a bunch of major vendors such as Target and Red Roof Inns, and many of the vendors sent announcements of the breach to their customers (I got such an announcement from a vendor I had purchased a present from for my wife. The announcement did not say all that much, essentially it told me to "be careful".).

Was this an important breach? What should you do if you have amassed a pile of such information?

MAILBAG: 'We regret to inform you': The Epsilon breach letters you don't want to see 

We did not find out all that much about the Epsilon Data Management breach from the first press release (other than to say that the company did not quite live up to the promise of its corporate name). And the second press release did not add much actual data.

It seems to me that it would be better for Epsilon to be more forthcoming as to the scale of the breach and other details.

It might be fun to try to figure out why the press found this breach so interesting. (This publication had 10 articles on it and Google News picks up over 3,000.) By any objective measure, loss of a bunch of email addresses pales in comparison to what else has been going on - for example the breach at Ohio State University that may have exposed 760,000 names and Social Security numbers of current and former Ohio State "faculty, students and staff as well as applicants and other individuals who have been associated with the university."

The Ohio State breach seems to have gone unnoticed by most technical publications.

The biggest threat from the Epsilon breach to those whose email addresses were stolen is that you may receive better-targeted phishing attempts. RSA's description of how their recent breach happened does show that the risks of phishing attacks can be quite real. But the risk with exposing email addresses will always be far less than with exposed SSNs since so many institutions, such as banks, think that anyone with the knowledge of your name and SSN must be you - a stunningly stupid, and common, assumption.

But there clearly is a lesson that enterprises should learn from the Epsilon situation - any enterprise that stores any significant amount of information that some part of the public might consider to be, to some degree, private needs to actually protect that information from theft.

One example of a reasonable best practice for protecting private information is the Payment Card Industry's Data Security Standards (PCI DSS).

A lot in the PCI DSS might be overkill if you are only protecting a database full of names and email addresses, but the basic system architecture makes a lot of sense. For example, you should not store any confidential information on any Web server - ever. If you do need to store confidential data, it should be stored on a backend database with a firewall between the database and any Web server, and between the database and any enterprise users.

Such protections do not always prevent hackers from being successful, but they do make things harder for the hacker and give you a better story to tell if you do get hacked.

Disclaimer: Harvard has classes on how to tell stories but I have not taken that class or asked the instructors about the above story, so it must be my own.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritydata breachEpsilon

More about Epsilon InteractiveGoogleLANRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Bradner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts