Epsilon data breach causes potential reputational havoc for major US brands

Reports that Epsilon, the permission-based email marketing firm, has suffered a major data breach, could cause severe reputational damage for its clients.

Hackers appear to have downloaded a ‘subset’ of Epsilon’s database, potentially exposing the contact details for customers of several high-profile brands to phishing attacks and spam.

The reasons for the breach have yet to emerge, but I think it is also interesting to see that The Register has reported an invalid security certificate on the Epsilon Web site over the weekend, noting that the marketing firm’s client list includes AbeBooks, a major bookseller; Lacoste, the luxury sports goods firm; Marriott, the hotel chain, and several other major US companies.

The two incidents may not be linked but an out of date encryption key just makes their security situation worse. The company has issued a terse one paragraph press statement about the main data incursion, but the primary issue here is that the email details relate to people who have opted into one or more of the company’s emails, meaning that cybercriminals can now profile these users a lot more precisely than if they had simply rented a spam emailing database.

The problem now is that the clients of Epsilon must notify those Internet users whose details have been compromised. Impacted users will likely be less well disposed to the companies concerned. The reputational impact and damage on their brand could be significant. Recovering from such public breaches is difficult.

Let’s put that simply: if your favourite supermarket chain admitted that your opt-in details had been lost, you probably wouldn’t feel good about it. You might even switch your loyalty for the goods or services concerned to another brand.

And that is the root problem that clients of Epsilon now face: a crisis of trust that will almost certainly result in reputational damage for the companies concerned.

This is the stuff of which corporate lawsuits are made of, and the fact that all the parties concerned are based in the US – one of the most litigious countries in the world – means that lawyers will now almost certainly be rubbing their hands with glee.

The fall-out from this database hack, however it was caused, is going to be interesting. The saga is hopefully going to act as a wake-up call to IT security professionals about the need to better secure their data, using a mixture of encryption, proper key management and authorised access to the databases they keep.

It also calls into question the increasingly popular trend towards outsourcing customer data to third party and specialist marketing firms, since this incident will probably trigger a rash of consequential data privacy amendments to the contracts of these firms. This will almost certainly result in more complex service level agreements for these types of services.

This case, though relatively simple on the face of it, could have profound repercussions for the marketing industry and the security of client information.

A key executive in four successful, high-technology start-ups that have gone public, Jeff Hudson brings over 25 years of experience in information technology and security management. Jeff has spent a significant portion of his career developing and delivering leading edge technology solutions for financial services and other Global 2000 companies. Prior to joining Venafi, Jeff was the CEO of Vhayu Technologies. Vhayu was the market leader for the analysis and capture of market data, and was acquired by ThomsonReuters. Prior to joining Vhayu, Jeff held numerous executive leadership posts, including CEO and cofounder of MS2, Senior Vice President of Corporate Development at Informix Software, CEO of Visioneer, and numerous senior executive posts at NetFRAME Systems and WYSE Technology. He started his career with IBM. Jeff earned a B.A. in communications at the University of California, Davis.

  • GFI

    This breach is remarkable because of the number of companies and customers it affects, but realistically, it would have been much worse had credit card numbers, social security numbers or other similar types of high-value personal information been compromised. The biggest potential issue this may cause is an increased level of spam and phishing attacks for those whose names and email addresses were hacked, requiring extra vigilance on the part of those who were affected. However, this type of incident should not be taken lightly. It’s another reminder that privacy is an illusion on the internet.

    Alex Eckelberry, general manager of the Security Business Unit, GFI Software