Epsilon Breach: The Growing Impact

List of Affected Organizations Swells; New Focus on e-Mail
Epsilon Breach: The Growing Impact
More than two weeks have passed since Epsilon, the online marketing unit of Alliance Data Systems Corp., revealed that an outside intrusion hacked into some of its customer files that contain consumer e-mail addresses.

While the cause of the incident has not been publicly disclosed, its aftermath has seen a growing list of organizations impacted by the breach. It also has ignited a new discussion about the sensitivity of e-mail data.

Epsilon, which sends e-mail campaigns to consumers on behalf of credit brands and others, sends more than 40 billion e-mails annually. On April 1, Epsilon notified its clients of the breach. [Epsilon: Biggest Breach Ever?] Since that time, the original list of 50 affected brands has grown to more than 100, representing organizations of all sizes and sectors.

Aite Group Analyst Julie McNelley says it could be months before any substantial updates are released by Epsilon or the U.S. Secret Service, which is investigating the breach. But one thing the industry can expect soon is a more inclusive definition of what constitutes personal identifiable information, better known as PII.

E-mail addresses have historically fallen outside the purview of PII. But in light of the Epsilon breach, which potentially exposes millions of consumers to new phishing threats, e-mail addresses are likely to be deemed much more sensitive. The financial industry, in particular, might see direction related to how e-mail addresses are handled in the updated online authentication guidance expected from the Federal Financial Institutions Examination Council.

"That paradigm may be shifted," McNelley says. "I would expect us to see some recommendations about all personal information, including e-mail addresses, which financial institutions have not typically considered to be PII."

The Epsilon breach proves indirect relationships between e-mail addresses and personally sensitive information, such as a Social Security number or credit card details, can be just as dangerous as direct relationships. "I think we will see a changing attitude," McNelley says, especially if e-mail addresses can be linked to brands and shopping habits that give fraudsters better views of consumer profiles.

Communicating with Customers

Among the new organizations linked to the Epsilon breach: GlaxoSmithKline Consumer Healthcare, a division of global pharmaceutical and consumer healthcare company GlaxoSmithKline. Neil Schwartzman, a security specialist who's closely followed the Epsilon breach, says the Glaxo link between medical information and e-mail addresses is concerning, and proves how easily e-mail addresses can connect consumers to highly sensitive information.

"When you put PII into the context of what could happen if the criminals misuse the information about someone's prescriptions, either by selling them counterfeit drugs or using the information as an indicator about what particular disease a person is suffering from, for me, that has a far greater potential for disruption than mere identity theft or financial loss," Schwartzman says,

As with all companies reportedly impacted by the Epsilon breach, the Glaxo link highlights a greater concern about information legitimacy, says Bob Janacek, chief technology officer at e-mail security vendor DataMotion. Confirming the legitimacy of any e-mail communication is challenging, Janacek warns, and banking institutions and businesses should be mindful of the steps they take to keep consumers informed.

"It's still a challenge to keep consumers from opening e-mails that appear to be from their bank or credit union, even when they are not," Janacek says. "Anytime someone enrolls electronically for deliveries from their institution, then institutions should communicate with them through out-of-band means, such as postal mail, to tell them they will never be asked for certain types of information via electronic means. I think that would be a great idea, especially in this market. That does a lot to increase brand loyalty."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network