Breach shines light on murky world of e-mail marketing outsourcers and how consumers don't know where their data is ending up.
Elinor MillsFormer Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
If you didn't get an e-mail warning this week that your name and e-mail address were part of a database that was breached, consider yourself lucky, and unique.
E-mails from dozens of companies--including Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, Verizon, and Ritz Carlton--began flooding inboxes this week after a company called Epsilon announced that its system had been breached. Some people have reported receiving as many as four of these warnings.
Citibank is a household name, as are most of the brands on the list (which now reaches more than 55, according to this list on DataBreaches.net). But who exactly is Epsilon, and what is it doing with my data?
Sporting a tag line of "Marketing As Usual. Not A Chance," Epsilon is one of a growing number of companies that offer outsourced services to help companies attract and keep customers. In addition to offering e-mail marketing services and managing customer e-mail databases for clients, Epsilon monitors social networking and other sites to see what people are saying about a company, advises on markets to target, helps develop and maintain customer loyalty programs, and offers Abacus, "the world's largest cooperative database with over 8.6 billion consumer transactions and 4.8 billion business transactions" used for creating lists of prospective customers. The different data Epsilon sells includes age, profession, residence, ethnic information and political affiliation, according to a list published on the site of security firm Magmatic.
"The e-mail component of Epsilon is a small part of the company," Dave Frankland, vice president and principal analyst at Forrester Research, told CNET. "They are in the business of managing customer data and helping companies integrate that data and communicate more effectively with customers. So they have a lot more information than just e-mail addresses and names."
Dallas-based Epsilon, which has more than 2,500 clients, was ranked best in class in a Forrester report from January, based on size, reputation, customer satisfaction, and other criteria, Frankland said. For that distinction, they beat out a host of other companies you probably haven't heard of like Acxion, ExactTarget, Responsys, Silverpop, e-Dialog, Alterian, Emailvision, and Yesmail.
Breaches at third-party providers aren't new. After McDonald's and other companies' customers were informed of a breach at their e-mail database provider late last year, Silverpop acknowledged that it was one of "several technology providers targeted as part of a broader cyberattack."
Case study: Walgreens
Around the same time, Walgreens disclosed that its customer e-mails had been exposed in a breach, but a spokesman told CNET that the data compromise was not related to Silverpop. Walgreens named Epsilon out right in its warning this weekend, which raises the question of whether this is the second breach for Epsilon. (Databreaches.net also is looking into whether ExactTarget was involved at all in recent data breaches reported by TripAdvisor, Play.com, and Game Show Network. ExactTarget did not respond to an e-mail and phone call from CNET seeking comment.)
Meanwhile, DataBreaches.net asked Walgreens whether Epsilon was its third-party provider that was breached last year and got this response: "After the incident last year, Walgreens requested that Epsilon put a number (of) additional security measures in place. Apparently, that expectation was not fully met." (A Walgreens spokeswoman did not respond to an e-mail from CNET seeking comment.)
An Epsilon spokeswoman said the company could not comment beyond what it said in its statement because the investigation is ongoing. Epsilon also won't reveal how many of its customers were affected; only that it is 2 percent of its clients.
Another troubling aspect to the Walgreens breaches is that even people who had unsubscribed, or opted out, of the marketing e-mails were receiving the breach notifications, according to Databreaches.net publisher, who goes by the name "Dissent."
"Why don't they delete the data of people who opt out?" she asked. "Consumers do not know when they are signing up where the data are actually going, who's got it and why they've got it."
In addition, it appears that at least one company--Benefit Cosmetics--told customers in its notification e-mail that it is affected by the breach even though it is no longer a customer of its third-party provider.
"That means they (third-parties) are hanging onto the data even after a customer leaves," said Jake Kouns, co-founder and president of the Open Security Foundation, which operates the DataLossDB.org site. "Do we really believe they only had first names and e-mail addresses? I think we can all say they had more than that and in this particular case, maybe, it's just fortunate that that is all that was leaked."
A former technology architect at Citibank who worked on the bank's Epsilon interface before getting laid off two years ago says he questioned the security expertise of the outsourcer at the time and suggested Citibank handle its own customer rewards program.
"I said we should audit these guys and make sure they have the same level of security we have. That too fell on deaf ears and so here we are," Don Lykins, now an independent application software consultant, told CNET. "We had to give them data, all kinds of customer data. I was uncomfortable doing that...Your transactions drive your rewards, so they'd have to have some account information too."
A thicket of third parties
The murky ecosystem of third-party providers runs deep and wide, making these firms ripe targets for malicious hackers. In 2009, ChoicePoint, one of the country's largest data brokers, was fined $275,000 by the U.S. Federal Trade Commission for a breach that exposed personal information of nearly 14,000 people. Also that year, payroll processor PayChoice had two breaches in less than a month. The largest breach on record involved 130 million records exposed during a compromise of Heartland Payment Systems.
The Epsilon breach appears to be truly shaking the industry, said Frankland who is at the Forrester Marketing Forum this week and wrote this blog post on the incident.
"Epsilon, as well its competitors are here. They're all saying 'it could have been us,'" he said. "There is a lot of talk about legislation in the industry. This is going to increase the spotlight."
Big name brands affected by the Epsilon breach will take a hit to their reputations, Frankland predicted. "In a year's time you won't remember Epsilon's name, but you will remember Walgreens and Chase," he said. "If [Epsilon clients] aren't evaluating their relationship to the company, I would be shocked."
The DataLossDB.org lists the Epsilon breach as a "fringe incident" because Epsilon says it only involves names and e-mail addresses, which even when combined do not represent personally identifiable information (PII). While affected consumers may be at higher risk of spear phishing attacks due to the breach, information such as credit card data and Social Security numbers that could be used to rob accounts and conduct identity fraud does not appear to have been involved.
But some experts counter that more harm can be done with verified e-mail addresses, especially when combined with user names.
"With just an e-mail address, one can use search engines to determine several key details about a person. You can find out their first and last name, where they work as well as what their title is, what responsibilities are and what software, hardware, and key company assets are under their purview," said B.K. DeLong, director of market insights at security consultancy IANS. "E-mail addresses are also often the login credential for many third-party Web sites and chat services these days."
To best protect against the espionage threat, people affected by the breach should change their passwords and their e-mail addresses, or use throw-away or site specific e-mail addresses that services like Cotse.net offer that allow users anonymity but allow them to trace spam back to a particular Web site breach.
Epsilon also has information and links for opting out of its e-mail and marketing services on its Web site here.
"Consumers have little idea of the amount of outsourcing that's going on... Many people are getting notified multiple times," said Kouns of the Open Security Foundation. "I think that while this may not involve PII, the fact that it affects so many companies has really hit home."