How big was the Epsilon data breach?

There's been lots of discussion in the past few weeks about the data breach at Epsilon that exposed the names and email addresses of lots of people to hackers. Exactly how many records were exposed? The most recent announcement from Epsilon says

The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services.

Some estimates say that Epsilon stores information on roughly 250 million people. If PII of 2 percent of that 250 million were exposed, that means that PII of about 5 million people might have been exposed in Epsilon's breach.

That's a lot of PII to have exposed at once.

But a breach that exposes 5 million records doesn't really look that big when it's compared to other recent breaches. Here's a graph that I created with IBM's Many Eyes data visualization tool. It shows the relative size of recent data breaches (from the Open Security Foundation's data breach database), with a single breach of 5 million records highlighted. 


This seems to tell us that a breach that exposes 5 million records really isn't very notable.

If a breach that exposes 5 million records really isn't that notable, that's a sure sign that we're losing way too much data.

  • Adam

    Thanks for the analysis and thoughtful commentary. I think the logic is a bit off in the “5MM records” conclusion. Epsilon’s comment was that “2% of total clients” were compromised, NOT 2% of consumer records housed by Epsilon. Epsilon is trying to dilute the impact of the data breach. The “total clients” variable they’re using most likely includes all of Epsilon Interactive’s client customers, including, but not limited to their Email Service Provider customers (additional divisions include Marketing Data, Database Services, etc). Clients like JP Morgan Chase, CitiBank and Walgreens leann on Epsilon’s email division to manage 10’s (if not hundreds) of millions of records. While these clients with large email databases may make up only “2% of the total client” base for Epsilon, the impact to the consumer is much higher when measuring the total number of records compromised.


Leave a Reply

Your email address will not be published. Required fields are marked *