A few words about the Epsilon email breach

Most tech experts have chimed in about the Epsilon email breach that took place the end of March. While it’s too bad that the public was not informed until a few days following the breach, at least, we were informed by the mainstream media. But doesn’t it seem odd that we received notification of the security breach via email from Epsilon’s clients after the mainstream media reported the breach?

I received notification about the breach from Best Buy, McKinsey & Company, Marriott, and Disney Destinations. Two of the emails I received were signed by the company. McKinsey’s email was signed by McKinsey Quarterly’s Senior Managing Editor, Rick Kirkland, but the generic info@mckinseyquarterly.com was provided if I had questions.

The best email was from Best Buy for two reasons: first, it was signed by a real person, Barry Judge, Executive VP and Chief Marketing Officer; and second, it provided a link to a page on the Geek Squad website with “Six Steps to Keeping Your Data Safe.”

Marriott provided a link to a landing page on its site that provided the info that should have appeared in the email – looks like the page was just an extension of its corporate privacy policy.

In my mind, the discussion is focusing on the wrong thing. Sure, the security breach was bad, but why did all of the approximately 50 companies who hired Epsilon need Epsilon in the first place? Customers had placed their trust in companies from Capital One to Ritz-Carlton to Verizon to Walgreens, among others, and these companies just gave all their customer data to Epsilon. What guarantees were given by Epsilon to their clients for data protection? While nothing can be guaranteed, a company with this many clients needs to show its clients that they have procedures in place for intruder prevention and detection. What were the service level agreements (SLAs), and did they outline precautions that Epsilon would take to prevent such incursions? If none of this information was included in the SLAs, perhaps, it’s time for data-driven companies to include their information security strategies in SLAs.

In case you’re wondering, here’s the full list of companies who were affected by the Epsilon email breach.

So, what’s the next step? You could terminate your email address and create a new one – which will definitely cause you a headache. Or, you could change the password for your email account. Or, perhaps, this situation will give you incentive to click “unsubscribe” on those hundreds of emails you signed up for a long time ago and instead of reading them, you just delete them – a big waste of time. You can clean out your email box and, at the same time, evaluate the value of the emails you receive. If this happens, maybe, there was something positive that resulted from the Epsilon email security breach after all.


About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in Business Process, Data Security, Privacy Rights. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s