A few days ago, CAUCE published a blog post entitled “Epsilon Interactive breach the Fukushima of the Email Industry” on our site, and the always-excellent CircleID.
A small coterie of commenters was upset by the hyperbolic nature of the headline. Fair enough, an analogy usually has a high degree of probability that it will fail, and clearly, no one has died as a result of the release of what appears to be tens of millions of people’s names and email addresses.
But, the two situations are analogous in many other ways, and here’s why. When I wrote the piece, I had in mind an article I recently read at The Economist, ‘When the steam clears - The Fukushima crisis will slow the growth of nuclear power. Might it reverse it?’, which sums up the aftermath neatly.
“FEAR and uncertainty spread faster and farther than any nuclear fallout.” – The Economist
There has been tremendous initial effect across the email industry as a result of Epsilon-shima. That whooshing you may have heard last Saturday was the sound of a collective frightened intake of breath at major brands and ESPs. A security staffer noted he had slept very little over the weekend, as the news broke. The fact of the matter is, this happened to Epsilon, but it could just as easily have happened to any of their competitors, of which there are many hundreds.
Followers of the Twitter #epsilon hashtag, see that regular, everyday people are furious. They are furious that the trusted brands they do business with handed over their personal information to a 3rd party, they are furious that it was stolen due to lack security, and they want to know who the hell Epsilon is (CAUCE Director Dennis Dayman wrote about the need for transparency among emailers here). End-users are also beginning to blame every piece of spam they receive on Epsilon, even though, to date, there has been no verifiable reports that I have seen that the thieves have sent a single piece of spam out. End-users are gun-shy. Unfortunately, they’ll get over it, of course, and drop their guard, making them vulnerable to spear-phishing.
“There will certainly be more durable effects too. Years of cleanup will drag into decades” – The Economist
It’s true. Once lost, these email addresses will very likely be used as spear-phishing targets (remember, the criminals also have the proper names of victims, as well as a list of who they did business with, including their financial institutions). Once they have served that purpose, they will be sold to other spammers, who will send untargeted spam to them. While spam filters will likely take care of most of this problem, there will undoubtedly be financial loses and successful instances of Identity Theft as a direct result of the Epsilon breach. This is a mess that simply can’t be cleaned up by form letters downplaying the theft, assuring people the criminals ‘only’ stole the data they did.
Make no mistake about it, an email address is considered to be personal identifiable information in Canada and Europe, and for good reason, because quite simply it is private information. Canadian and European brands were affected by the Epsilon breach. While the United States lags far behind the rest of the world with regard to breach and privacy legislation, this thing is far from over from an investigative and legal standpoint.
(An ESP) “Looks dangerous, unpopular, expensive and risky. It is replaceable with relative ease and could be forgone with no huge structural shifts in the way the world works. So what would the world be like without it?” – The Economist
ESPs are simply out-sourced services that many companies use to maintain their customer database, and send email marketing campaigns, and sometimes-transactional email, to clients.
We know that Epsilon lost 50 companies’ client information. What if all 50 of those companies were doing their own email and database management? In practical terms, I could see that making things worse. Relying on relatively unskilled, or even incompetent IT and marketing departments at retailers to do email correctly from a technical and policy standpoint is a highly unlikely scenario. Mass emailing is quite complicated these days, with laws, technical requirements, and methodologies ever-changing. Better to centralize the adherence to industry standards in the hands of the experts. If ESPs magically disappeared, mass email marketing would be in a bigger mess that it is today.
Like Fukushima, there were plenty of preemptive rumbles that should have reasonably warned Epsilon and the other ESPs that something bad was coming. There had been at least a dozen breaches of ESPs in the last year, and database and site breaches are as ‘common as car crashes’ as British telecom Chief Security Officer Bruce Schneier said.
Akin to the Tokyo Electric Power Company, even in light of prescient safety reports, ESPs failed to react appropriately to secure their sites. Databases should be encrypted, industry-standard security technologies and policies deployed, and 2-factor authentication implemented to access private data, across the board, as quickly as humanly possible.
Sadly, none of these is a silver bullet that will make data 100% secure. There is no such thing as 100% security, but all holders of private information, including ESPs must be held accountable to the highest standards, and not continue to allow themselves to be dumb, low-hanging fruit for criminals.
ESPS … “won’t go away, but … must to some extent remain a sideshow, however spectacular it looks when (they go) wrong. – The Economist
Epsilon, and other members of the sending and ESP communities have a tremendous opportunity to change in front of them, to become competitively better than ever. Epsilon will likely recover from this debacle, but the next ESP breached in a similar manner? Their fate remains quite uncertain.
