Does the World’s Largest Permission-Based Email Marketer Know What PII Is? Doesn’t Seem Like It.
Epsilon’s parent company, publicly traded Alliance Data Systems Corporation (NYSE: ADS), today issued a follow-up statement to the recent massive data breach, but provided little information beyond what the company had already stated in its initial disclosure of the breach.
What’s interesting, however, is that Epsilon continues to claim that no Personally Identifiable Information (PII) was compromised. Being the world’s largest permission-based email marketer, I would think that they, more than anyone, would know what PII is AND what can be done with it.
What amazes me is that the subheading of the release dives directly into how no PII was compromised:
“Investigation Continues to Confirm Compromise Limited to Email Addresses and Names; No Personal Identifiable Information (PII) Compromised”
According to the Guide to Protecting the Confidentiality of Personally Identifiable Information, published by the National Institute of Standards and Technology, examples of PII include:
• Name, such as full name, maiden name, mother‘s maiden name, or alias
• Address information, such as street address or email address
According to Wikipedia, Personally Identifiable Information, when used in information security, is defined as “information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.”
It appears to me that Epsilon is a bit confused on the definitions, and what can be done with the personally identifiable that WAS compromised and in the hands of the attackers.
According to Joris Evers, director of worldwide public relations for McAfee, “The bad news is that clever attackers could use what has been breached to gain more information. The Epsilon breach exposes millions of consumer names and e-mail addresses, potentially associated with particular household brands that these consumers do business with. This collection could be a treasure trove for cyberattackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses.”
“While Epsilon is not disclosing the exact number of emails impacted, we’re likely talking about hundreds of millions of exposed email addresses. Because attackers can link these email addresses to banks and retailers the email owner actually does business with, the likelihood of a successful attack is significantly increased,” said Steve Dispensa, PhoneFactor CTO and co-founder. “Phishing emails that appear to come from a person’s bank or a retailer they regularly receive emails from are more likely to be acted upon them. Unfortunately it is very difficult for the average person to distinguish between a dangerous and a safe email. The result is likely an increase in the number of successful phishing attacks over the next few months.”
Josh Shaul, CTO at Application Security, Inc. says people need to pay attention to what is being sent to them. “Everyone should be on high alert that their inboxes will very likely be hit hard with phishing attempts and need to be extra vigilant on what they click on”, said Shaul. “To be safe, we might be better off if we just deleted any and all emails that appear to have been sent from breached companies for the immediate future. Epsilon has an estimated 2,500 customers. So far we only know of 50 that were affected. There are likely to be many more and this has the potential to get very ugly, very fast.”
Epsilon said that it’s working with Federal authorities, as well as other outside forensics experts, to both investigate the breach and to ensure that any additional security safeguards needed will be promptly implemented.
Epsilon is in an unfortunate situation. As SecurityWeek columnist Terry Cutler recently wrote, “RSA Breach: Not the First, Not the Last,” and just a few weeks later is the first big event since. You can be sure that the Epsilon breach won’t be the last big breach as well.
Maybe financial details aren’t directly in the hands of attackers. That’s a good thing. But the last time I checked, a name was a damn good way to identify someone.