5 Things to do now as a result of the Epsilon Data Breach

As you will have read or watched in every media outlet today, Epsilon, a company that provides some of the top brand name companies with email marketing services had a data breach that uncovered the names and email addresses of millions of customers. These customers as reported in the New York Times and other blogs such as Byron Acohido's "The Last Watchdog", will now probably suffer from further attempts on their private information – Here's some resources that will help you make sense of the data breach and ensure that your company is not the next Epsilon:

 

Voltage SecureMail Voltage SecureData Enterprise Voltage SecureData Payments

  1. What do you need to know about the Epsilon Data Breach?
   

By now, everyone has read about a company named Epsilon. In fact, many people most likely have direct involvement, having received one or more emails from companies they do business with warning them to be very careful after a recent incident. These notifications stem from Epsilon Interactive, a third-party service provider of managed email, getting compromised and having some of their 2,500 clients customer emails stolen.

Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of it before, chances are high that your bank or your favorite retailer or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses.

A list of companies whose customer data has been breached can be found at http://datalossdb.org/incidents/3540 and http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ – these lists are being updated as companies send out their data breach notifications.

 
  2. What to tell your customers and employees to do now?
   

If you yourself have received data breach notifications from companies that you do business with then chances are your own email was amongst those breached – here's some basic guidelines on how to avoid follow-up fraud from the perpetrators of this data breach:

  • Don't open emails from people you don't know
  • Don't respond to emails asking to verify your password or other personal details
  • Hang up on phone calls from the bank or others who call asking to verify personal info
  • Don't open email attachments – even 'Data Breach Notification' letters – if do you make sure anti-phishing countermeasures are active
  • Do change your passwords – go direct to company website – don't click on a link in an email
 
  3. How to protect your data?
   

Like most companies Epsilon had extensive security measures in place – however, sophisticated criminals found a way to breach those defenses. Once inside they were able to make off with millions of emails, because this type of data was lying around in the clear – no one thought the data was at risk. The best defense is to protect the data itself. That way, even if hackers force their way into your systems, the data itself is useless. The solutions to accomplish this – typically encryption or tokenization are widely available and are used extensively by payment processors, retailers, financial institutions and healthcare organizations to protect sensitive data – wherever it goes. In fact, the best approach is to encrypt information as quickly as possible and keep it encrypted for as long as possible until it is actually needed – this is often referred to as End-to-End Encryption.

Voltage has provided some of the largest brand name companies in the world with solutions to protect emails, information stored in databases and used by applications – inside and outside the cloud. To learn more click on one of the following links:

In addition:

  • Consumers need to know what data is being captured, what it is used for, and how it is being protected as a matter of corporate policy
  • Corporations must demand that their business partners and IT secure personal data so it cannot be exploited in this all to easy manner as illustrated by the Epsilon attack
  • Protect non-regulated personal data – Email may not be a regulated field in regulations like PCI, but if it's being captured, it can be exploited
  • Access to personal data within a corporation needs to be locked down – on a need-to-know basis – reducing access to e.g. the last 4 fields of an SSN instead of a whole one, or using encryption and tokenization to reduce the exposure of real data to employees, partners and customers.
  • Communication with consumers and business partners needs to be secured and trusted – use a secure email solution but make sure it has anti-phishing countermeasures activated.
  • Avoid using live data in test systems by de-identification and masking to reduce exposure outside production controls

Learn how a top financial services firm protects sensitive data

 
  4.
   

The other big lesson to learn from the Epsilon data breach is that while you may implement safeguards to protect sensitive data within your datacenters, your third-party service providers must also do the same – it is critical that your sensitive information is protected via encryption or tokenizaton by the third party. In fact many in the industry are calling for contractual clauses that insist on data encryption by 3rd parties.

Learn how a top insurance company made sure its service providers protected its data

 
  Consumer Data Protection Manifesto
   

In order to safeguard sensitive customer information many customer advocates are calling for new rules that force companies to certify that they have adequate data protection in place to protect data even in the event of a breach – similar to Sarbanes-Oxley, this would bring board level visibility to a critical issue in the minds of consumers.

Secondly to protect data that is being used by 3rd party service providers, companies should insist on a data protection clause in their contract that mandates the use of encryption of all consumer data. Data transferred to a service provider should be encrypted in line with making sure that consumer information is encrypted at the earliest opportunity and remains encrypted until needed.

See Voltage co-founder, Matt Pauker's, Op Ed in Forbes on the subject.

 

Leave a Reply

Your email address will not be published. Required fields are marked *