Epsilon, data security, and open questions

It’s been quite an active week in the security arena, and I’ve been following the Epsilon data breach story with interest (despite being locked in a windowless conference room, for 2 days of meetings). Clearly, there’s been a lot of focus (and rightly so), on the millions of email addresses compromised from many major companies’ marketing lists managed by Epsilon.

Like most people I’ve spoken with, I’ve already received several notifications from companies with whom I do business that my email address has likely been leaked, as a result of “unauthorized entry into Epsilon’s email system”.

There are still many unknowns about this, including the extent of the data lost, and the method of access. These are all legitimate questions, for which we deserve answers. As someone who’s email address as been stolen, and as a vendor in the security space, I’m doubly interested.

In addition to the open questions about specifically what data was lost, from a security perspective (and from the perspective of wanting to prevent future reoccurrences), it’s very important for us to get clarity on exactly how this data was accessed.

Was this a hacker attack, exploiting a security hole, or did this somehow involve abuse of improper access, perhaps from an employee or business partner? Or, as is increasingly common, was it a blend of these?

While simply obtaining email addresses might only be considered a minor annoyance, the fact that these were exposed with the associated context of the business relationship significantly increases the risk of successful phishing attacks. With so many millions of email addresses exposed, even a low-percentage attack will bear fruit.

And, as the recent RSA attack demonstrates (a topic I’ll discuss in my next blog entry), this kind of targeted phishing can serve as an entry point for a very damaging attack.

I look forward to learning more about this attack, and discussing the implications here.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Brian Cleary is vice president of products and marketing at Aveksa, a leading provider of enterprise access governance solutions. Brian has more than 17 years of experience directing technology marketing initiatives for both emerging technology companies and top-tier enterprise software vendors. In previous positions, Brian served as vice president of marketing at OpenPages and as senior vice president of marketing at Computer Associates (CA). He has also held management positions at Netegrity, Allaire Corporation and Macromedia. He holds a bachelor’s degree from Syracuse University.