Skip to content

The Epsilon Data Breach: What the Rest of Us Can Learn

by on April 7, 2011

Last week’s announcement of a data breach at e-mail marketing firm Epsilon has generated both significant news coverage and consumer angst over the past few days. And the ripple effect likely will continue well into the future, if and when the stolen data is put to use in spam and phishing attacks. For us in the technology sphere, the unfortunate events at Epsilon resurface the age-old question, “Have we done enough to protect our data?”

Server_protection Of course, there’s no way for us on the outside to know for sure how the hackers accessed Epsilon’s data. Suffice it to say, whatever the security measures, they’ve been proven inadequate. I could speculate ad nauseam about the circumstances that led to the breach, but let’s not go there. The fact of the matter is this: No matter how robust your information security program is, every company is vulnerable in some way to a data breach.

Now, in the Epsilon breach, the hackers obtained only customer names and e-mails—I say “only” because the stolen information apparently doesn’t include social security numbers, bank account numbers, mailing addresses or other data that could prove much more harmful in the wrong hands. But, really—is “only” ever a word that should be associated with stolen tier 1 data? Because in the case of Epsilon—an e-mail marketing firm—that’s exactly what names and e-mail addresses are: business-critical, highly sensitive tier 1 data.

The Epsilon breach begs the question for the rest of us: No matter how our organizations define tier 1 data, are we doing everything we can to adequately protect this data, our businesses and our customers (or our customers’ customers, which in the case of Epsilon include some of the world’s biggest brands)? And I don’t mean just doing everything we can in terms of information security. I also mean in terms of how we store our tier 1 data.

While tier 1 data that is frequently accessed or currently being used must be stored online, specific unused (yet still highly sensitive and confidential) data sets can be segmented out and stored offline, i.e. on tape. When the organization needs to access these archived instances—for instance, for a specific e-mail marketing campaign—you would simply restore them from tape. Archiving specific data sets not only would protect what could be a significant percentage of the data from the threat of hackers, it also would shrink the backup window for online data—a welcome side effect.

Could storing segmented data sets offline have limited Epsilon’s exposure by keeping potentially millions of e-mail addresses out of hackers’ hands? Who’s to say? What I can say is this: The time to consider offline storage for segmented tier 1 data is now—before failing to do so makes an Epsilon out of your organization.

2 Comments
  1. steve t permalink

    Makes you think about their entire methodology around their data protection or apparent lack of. If they are doing regional mailing campaigns and manage their data accordingly they “may have” saved millions of email address from this hack.
    Question is what IT staff member did they recently let go…do they change their sysadmin passwords regularly?

  2. Before those questions are posed I think we would need to know where the breach stemmed from. Was it internal or external? If it was internal, did it come from within I.T. or another department where there was access to these records? The truth is we’ll never know (an entirely separate topic, but one worth noting). Let’s hope that they learn from their mistakes. Managing our personal data should take as much priority as the revenue it generates for them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: