5 Things to do now as a result of the Epsilon Data Breach
As you will have read or watched in every media outlet today, Epsilon, a company that provides some of the top brand name companies with email marketing services had a data breach that uncovered the names and email addresses of millions of customers. These customers as reported in the New York Times and other blogs such as Byron Acohido's "The Last Watchdog", will now probably suffer from further attempts on their private information – Here's some resources that will help you make sense of the data breach and ensure that your company is not the next Epsilon:
|1.||What do you need to know about the Epsilon Data Breach?|
By now, everyone has read about a company named Epsilon. In fact, many people most likely have direct involvement, having received one or more emails from companies they do business with warning them to be very careful after a recent incident. These notifications stem from Epsilon Interactive, a third-party service provider of managed email, getting compromised and having some of their 2,500 clients customer emails stolen.
Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of it before, chances are high that your bank or your favorite retailer or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses.
A list of companies whose customer data has been breached can be found at http://datalossdb.org/incidents/3540 and http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ – these lists are being updated as companies send out their data breach notifications.
|2.||What to tell your customers and employees to do now?|
If you yourself have received data breach notifications from companies that you do business with then chances are your own email was amongst those breached – here's some basic guidelines on how to avoid follow-up fraud from the perpetrators of this data breach:
|3.||How to protect your data?|
Like most companies Epsilon had extensive security measures in place – however, sophisticated criminals found a way to breach those defenses. Once inside they were able to make off with millions of emails, because this type of data was lying around in the clear – no one thought the data was at risk. The best defense is to protect the data itself. That way, even if hackers force their way into your systems, the data itself is useless. The solutions to accomplish this – typically encryption or tokenization are widely available and are used extensively by payment processors, retailers, financial institutions and healthcare organizations to protect sensitive data – wherever it goes. In fact, the best approach is to encrypt information as quickly as possible and keep it encrypted for as long as possible until it is actually needed – this is often referred to as End-to-End Encryption.
Voltage has provided some of the largest brand name companies in the world with solutions to protect emails, information stored in databases and used by applications – inside and outside the cloud. To learn more click on one of the following links:
Learn how a top financial services firm protects sensitive data
The other big lesson to learn from the Epsilon data breach is that while you may implement safeguards to protect sensitive data within your datacenters, your third-party service providers must also do the same – it is critical that your sensitive information is protected via encryption or tokenizaton by the third party. In fact many in the industry are calling for contractual clauses that insist on data encryption by 3rd parties.
Learn how a top insurance company made sure its service providers protected its data
|Consumer Data Protection Manifesto|
In order to safeguard sensitive customer information many customer advocates are calling for new rules that force companies to certify that they have adequate data protection in place to protect data even in the event of a breach – similar to Sarbanes-Oxley, this would bring board level visibility to a critical issue in the minds of consumers.
Secondly to protect data that is being used by 3rd party service providers, companies should insist on a data protection clause in their contract that mandates the use of encryption of all consumer data. Data transferred to a service provider should be encrypted in line with making sure that consumer information is encrypted at the earliest opportunity and remains encrypted until needed.
See Voltage co-founder, Matt Pauker's, Op Ed in Forbes on the subject.