Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

Epsilon: Confused About What Personally Identifiable Information (PII) Is

Does the World’s Largest Permission-Based Email Marketer Know What PII Is? Doesn’t Seem Like It.

Does the World’s Largest Permission-Based Email Marketer Know What PII Is? Doesn’t Seem Like It.

Epsilon’s parent company, publicly traded Alliance Data Systems Corporation (NYSE: ADS), today issued a follow-up statement to the recent massive data breach, but provided little information beyond what the company had already stated in its initial disclosure of the breach.

What’s interesting, however, is that Epsilon continues to claim that no Personally Identifiable Information (PII) was compromised. Being the world’s largest permission-based email marketer, I would think that they, more than anyone, would know what PII is AND what can be done with it.

What amazes me is that the subheading of the release dives directly into how no PII was compromised:

Investigation Continues to Confirm Compromise Limited to Email Addresses and Names; No Personal Identifiable Information (PII) Compromised

Epsilon Data Breach: Does Disclose Personally Identifiable InformationAccording to the Guide to Protecting the Confidentiality of Personally Identifiable Information, published by the National Institute of Standards and Technology, examples of PII include:

Name, such as full name, maiden name, mother‘s maiden name, or alias

• Address information, such as street address or email address

According to Wikipedia, Personally Identifiable Information, when used in information security, is defined as “information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.”

It appears to me that Epsilon is a bit confused on the definitions, and what can be done with the personally identifiable that WAS compromised and in the hands of the attackers.

According to Joris Evers, director of worldwide public relations for McAfee, “The bad news is that clever attackers could use what has been breached to gain more information. The Epsilon breach exposes millions of consumer names and e-mail addresses, potentially associated with particular household brands that these consumers do business with. This collection could be a treasure trove for cyberattackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses.”

“While Epsilon is not disclosing the exact number of emails impacted, we’re likely talking about hundreds of millions of exposed email addresses. Because attackers can link these email addresses to banks and retailers the email owner actually does business with, the likelihood of a successful attack is significantly increased,” said Steve Dispensa, PhoneFactor CTO and co-founder. “Phishing emails that appear to come from a person’s bank or a retailer they regularly receive emails from are more likely to be acted upon them. Unfortunately it is very difficult for the average person to distinguish between a dangerous and a safe email. The result is likely an increase in the number of successful phishing attacks over the next few months.”

Josh Shaul, CTO at Application Security, Inc. says people need to pay attention to what is being sent to them. “Everyone should be on high alert that their inboxes will very likely be hit hard with phishing attempts and need to be extra vigilant on what they click on”, said Shaul.  “To be safe, we might be better off if we just deleted any and all emails that appear to have been sent from breached companies for the immediate future. Epsilon has an estimated 2,500 customers. So far we only know of 50 that were affected. There are likely to be many more and this has the potential to get very ugly, very fast.”

Epsilon said that it’s working with Federal authorities, as well as other outside forensics experts, to both investigate the breach and to ensure that any additional security safeguards needed will be promptly implemented.

Epsilon is in an unfortunate situation. As SecurityWeek columnist Terry Cutler recently wrote, “RSA Breach: Not the First, Not the Last,” and just a few weeks later is the first big event since. You can be sure that the Epsilon breach won’t be the last big breach as well.

Maybe financial details aren’t directly in the hands of attackers. That’s a good thing. But the last time I checked, a name was a damn good way to identify someone.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.