Epsilon breach: When should almost public info be private?

A press feeding frenzy followed the somewhat vague April Fools Day announcement by Epsilon Data Management that someone had hacked into its systems and stolen a bunch of email addresses. The addresses were of people who had "opted in" for email marketing by a bunch of major vendors such as Target and Red Roof Inns, and many of the vendors sent announcements of the breach to their customers (I got such an announcement from a vendor I had purchased a present from for my wife. The announcement did not say all that much, essentially it told me to "be careful".).

Was this an important breach? What should you do if you have amassed a pile of such information?

MAILBAG: 'We regret to inform you': The Epsilon breach letters you don't want to see 

We did not find out all that much about the Epsilon Data Management breach from the first press release (other than to say that the company did not quite live up to the promise of its corporate name). And the second press release did not add much actual data.

It seems to me that it would be better for Epsilon to be more forthcoming as to the scale of the breach and other details.

It might be fun to try to figure out why the press found this breach so interesting. (This publication had 10 articles on it and Google News picks up over 3,000.) By any objective measure, loss of a bunch of email addresses pales in comparison to what else has been going on - for example the breach at Ohio State University that may have exposed 760,000 names and Social Security numbers of current and former Ohio State "faculty, students and staff as well as applicants and other individuals who have been associated with the university."

The Ohio State breach seems to have gone unnoticed by most technical publications.

The biggest threat from the Epsilon breach to those whose email addresses were stolen is that you may receive better-targeted phishing attempts. RSA's description of how their recent breach happened does show that the risks of phishing attacks can be quite real. But the risk with exposing email addresses will always be far less than with exposed SSNs since so many institutions, such as banks, think that anyone with the knowledge of your name and SSN must be you - a stunningly stupid, and common, assumption.

But there clearly is a lesson that enterprises should learn from the Epsilon situation - any enterprise that stores any significant amount of information that some part of the public might consider to be, to some degree, private needs to actually protect that information from theft.

One example of a reasonable best practice for protecting private information is the Payment Card Industry's Data Security Standards (PCI DSS).

A lot in the PCI DSS might be overkill if you are only protecting a database full of names and email addresses, but the basic system architecture makes a lot of sense. For example, you should not store any confidential information on any Web server - ever. If you do need to store confidential data, it should be stored on a backend database with a firewall between the database and any Web server, and between the database and any enterprise users.

Such protections do not always prevent hackers from being successful, but they do make things harder for the hacker and give you a better story to tell if you do get hacked.

Disclaimer: Harvard has classes on how to tell stories but I have not taken that class or asked the instructors about the above story, so it must be my own.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitydata breachTargetEpsilon

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Scott Bradner

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?