Epsilon's Data Breach Raises Awareness Of Cyber Crime

By now, you've all heard about Epsilon's April 1 data breach — an unauthorized party accessed a subset of Epsilon's email clients' data. My colleague Dave Frankland outlines the circumstances of the incident and its implications on Customer Intelligence and data security in his blog post immediately following the incident.

I attended Epsilon's Customer Symposium in Naples, Fla., last week, and I wanted to pipe in with some commentary based on what was addressed directly by Epsilon at the event.

Marketers: The way I would look at this is "if a data breach can happen to Epsilon — a firm which specializes in data and data management — it can definitely happen to me." We learned from Bryan Sartin, director of investigative services, Verizon Business Security Solutions, and Mick Walsh, supervisor, Miami Electronic Crime Task Force, US Secret Service, that electronic crime is a huge and growing business, due in part to the ease of access to consumer information online and the ease of access to the data black market through online search engines. Three-quarters of cases of electronic crimes executed through malware come from data disclosed through Facebook.

Note that most cyber crimes:

  • Come from external agents — as opposed to from within a company that is victimized. Although internal threats have increased during the recession; laid-off employees often have a few weeks' notice before their last day, which gives them a perfect window of time to get back at their employer by stealing data.
  • Are about getting into one company and using its network or data as a gateway to other companies.
  • Are individually motivated — not state-sponsored. Incidents are typically run by criminals who want to convert data to cash ù for example, your corporate username and password can sell for $30,000 — rather than by terrorist circles with political or societal motivations.
  • Can be deterred with: 1) investing in network security — networks with out-of-date security or unauthorized accessories plugged in to them are risky, and 2) corporate compliance to network security measures (when IT asks you to change your network password every few weeks — do it!).  

As Dave mentions, the issue of data security is a mandatory concern for marketers and security and risk professionals to address. Marketers need IT help to manage network and data collection requirements that will detect fraud or unauthorized data use and collect consumer data responsibly. Bad collaboration here means marketers will face a likely future of damage control for their at-risk brands rather than one which allows for the creation of relevant messages. 

Comments

Epsilon Data Breach Raises Awareness of CyberCrime

I wonder if there was any discussion at this forum on the business risk of outsourcing customer lists to a 3rd party, and any discussion about the the electronic security practices of any particular third party such as Epsilon. I just received another phishing email today purportedly from Chase, so clearly the damage from this breach continues to ripple.