Epsilon breach: When should almost public info be private?

A press feeding frenzy followed the somewhat vague April Fools Day announcement by Epsilon Data Management that someone had hacked into its systems and stolen a bunch of email addresses. The addresses were of people who had "opted in" for email marketing by a bunch of major vendors such as Target and Red Roof Inns, and many of the vendors sent announcements of the breach to their customers (I got such an announcement from a vendor I had purchased a present from for my wife. The announcement did not say all that much, essentially it told me to "be careful".).

Was this an important breach? What should you do if you have amassed a pile of such information?

MAILBAG: 'We regret to inform you': The Epsilon breach letters you don't want to see 

We did not find out all that much about the Epsilon Data Management breach from the first press release (other than to say that the company did not quite live up to the promise of its corporate name). And the second press release did not add much actual data.

It seems to me that it would be better for Epsilon to be more forthcoming as to the scale of the breach and other details.

It might be fun to try to figure out why the press found this breach so interesting. (This publication had 10 articles on it and Google News picks up over 3,000.) By any objective measure, loss of a bunch of email addresses pales in comparison to what else has been going on - for example the breach at Ohio State University that may have exposed 760,000 names and Social Security numbers of current and former Ohio State "faculty, students and staff as well as applicants and other individuals who have been associated with the university."

The Ohio State breach seems to have gone unnoticed by most technical publications.

The biggest threat from the Epsilon breach to those whose email addresses were stolen is that you may receive better-targeted phishing attempts. RSA's description of how their recent breach happened does show that the risks of phishing attacks can be quite real. But the risk with exposing email addresses will always be far less than with exposed SSNs since so many institutions, such as banks, think that anyone with the knowledge of your name and SSN must be you - a stunningly stupid, and common, assumption.

But there clearly is a lesson that enterprises should learn from the Epsilon situation - any enterprise that stores any significant amount of information that some part of the public might consider to be, to some degree, private needs to actually protect that information from theft.

One example of a reasonable best practice for protecting private information is the Payment Card Industry's Data Security Standards (PCI DSS).

A lot in the PCI DSS might be overkill if you are only protecting a database full of names and email addresses, but the basic system architecture makes a lot of sense. For example, you should not store any confidential information on any Web server - ever. If you do need to store confidential data, it should be stored on a backend database with a firewall between the database and any Web server, and between the database and any enterprise users.

Such protections do not always prevent hackers from being successful, but they do make things harder for the hacker and give you a better story to tell if you do get hacked.

Disclaimer: Harvard has classes on how to tell stories but I have not taken that class or asked the instructors about the above story, so it must be my own.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Targetsecuritydata breachEpsilon

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Scott Bradner

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?