Connect with us

Hi, what are you looking for?


Privacy & Compliance

Epsilon: Confused About What Personally Identifiable Information (PII) Is

Does the World’s Largest Permission-Based Email Marketer Know What PII Is? Doesn’t Seem Like It.

Does the World’s Largest Permission-Based Email Marketer Know What PII Is? Doesn’t Seem Like It.

Epsilon’s parent company, publicly traded Alliance Data Systems Corporation (NYSE: ADS), today issued a follow-up statement to the recent massive data breach, but provided little information beyond what the company had already stated in its initial disclosure of the breach.

What’s interesting, however, is that Epsilon continues to claim that no Personally Identifiable Information (PII) was compromised. Being the world’s largest permission-based email marketer, I would think that they, more than anyone, would know what PII is AND what can be done with it.

What amazes me is that the subheading of the release dives directly into how no PII was compromised:

Investigation Continues to Confirm Compromise Limited to Email Addresses and Names; No Personal Identifiable Information (PII) Compromised

Epsilon Data Breach: Does Disclose Personally Identifiable InformationAccording to the Guide to Protecting the Confidentiality of Personally Identifiable Information, published by the National Institute of Standards and Technology, examples of PII include:

Name, such as full name, maiden name, mother‘s maiden name, or alias

• Address information, such as street address or email address

According to Wikipedia, Personally Identifiable Information, when used in information security, is defined as “information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.”

It appears to me that Epsilon is a bit confused on the definitions, and what can be done with the personally identifiable that WAS compromised and in the hands of the attackers.

Advertisement. Scroll to continue reading.

According to Joris Evers, director of worldwide public relations for McAfee, “The bad news is that clever attackers could use what has been breached to gain more information. The Epsilon breach exposes millions of consumer names and e-mail addresses, potentially associated with particular household brands that these consumers do business with. This collection could be a treasure trove for cyberattackers who could use the information to con unsuspecting individuals out of more valuable information such as credit card numbers and home addresses.”

“While Epsilon is not disclosing the exact number of emails impacted, we’re likely talking about hundreds of millions of exposed email addresses. Because attackers can link these email addresses to banks and retailers the email owner actually does business with, the likelihood of a successful attack is significantly increased,” said Steve Dispensa, PhoneFactor CTO and co-founder. “Phishing emails that appear to come from a person’s bank or a retailer they regularly receive emails from are more likely to be acted upon them. Unfortunately it is very difficult for the average person to distinguish between a dangerous and a safe email. The result is likely an increase in the number of successful phishing attacks over the next few months.”

Josh Shaul, CTO at Application Security, Inc. says people need to pay attention to what is being sent to them. “Everyone should be on high alert that their inboxes will very likely be hit hard with phishing attempts and need to be extra vigilant on what they click on”, said Shaul.  “To be safe, we might be better off if we just deleted any and all emails that appear to have been sent from breached companies for the immediate future. Epsilon has an estimated 2,500 customers. So far we only know of 50 that were affected. There are likely to be many more and this has the potential to get very ugly, very fast.”

Epsilon said that it’s working with Federal authorities, as well as other outside forensics experts, to both investigate the breach and to ensure that any additional security safeguards needed will be promptly implemented.

Epsilon is in an unfortunate situation. As SecurityWeek columnist Terry Cutler recently wrote, “RSA Breach: Not the First, Not the Last,” and just a few weeks later is the first big event since. You can be sure that the Epsilon breach won’t be the last big breach as well.

Maybe financial details aren’t directly in the hands of attackers. That’s a good thing. But the last time I checked, a name was a damn good way to identify someone.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...