Thousands – potentially millions – of e-mail addresses have been stolen in a hacker attack on US marketing firm Epsilon, but the firm has downplayed the incident, saying that the data is limited to e-mail addresses and/or customer names.
The company, which handles 40bn customer communication e-mails a year for more than 2,500 clients, was at pains to point out that no other identifiable personal information associated with the names was at risk.
But Rik Ferguson, director security research & communication at security firm Trend Micro, says this belies the real risk and is misleading for customers of the at least 40 companies affected by the breach.
In reality, the attacker not only has names and e-mail addresses, but also information about where these people shop, bank, stay on holiday and more, he says.
"If you are unfortunate enough to have received multiple notifications [from Epsilon customers], just imagine what kind of profile is now in criminal hands," he writes in a blog post.
For this reason, Fergusson and several other security experts say that the risk from highly targeted phishing has been hugely increased as a result.
As usual, people need to be wary of e-mails asking for financial details or passwords, no matter how legitimate they appear to be, says Terry Greer-King, UK managing director for data security for Check Point.
This goldmine of information makes credible malicious e-mails much easier to design, says Ferguson.
"An email may appear to come from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link," he says.
All companies that process, store or transmit personal data belonging to other people should ensure the data is encrypted, says Ferguson.
"Encrypt it, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care," he says.
Business priorities seem to supersede data protection duties too often, says Richard Sansome, vice-president of IT services firm Mastek UK.
"It is astonishing that data is still lost or leaked on such a regular basis especially, when pseudonymisation and anonymisation tools exist that can take the responsibility for data protection out of flawed human hands," he says.
As long as organisations continue failing to address data protection, the risk of further incidents and large monetary penalties from regulators, remain an ever-present danger, says Sansome.
Greer King says data encryption, pseudonymisation and anonymisation are not only essential for any company holding personal details to protect customers, but also to avoid the potential costs of data disclosure penalties, which includes loss of reputation.
The fall-out from this database hack, however it was caused, is going to be interesting, says Jeff Hudson, chief executive at key and certificate management firm, Venafi.
"The saga is hopefully going to act as a wake-up call to IT security professionals about the need to better secure their data, using a mixture of encryption, proper key management and authorised access to the databases they keep," he says.
According to Hudson, the data breach also calls into question the increasingly popular trend towards outsourcing customer data to third-party and specialist marketing firms.
He predicts that the breach will trigger a rash of consequential data privacy amendments to the contracts of these firms, which will almost certainly result in more complex service level agreements for these types of services.
All things considered, it is likely that although relatively simple on the face of it, Epsilon's data breach will not be easily swept under the carpet. In fact, it may well mark a watershed and have profound repercussions for the marketing industry and the security of client information.
Tips for breach victims
- Pay careful attention to e-mails you receive in the coming months, perhaps years
- Never surrender personal information to a website you have followed a link to
- If you are suspicious of an e-mail, go directly to the website of the company that purportedly sent it and don't follow links in the e-mail as those may be fraudulent
- Check if e-mails are legitimate by calling the company's using the number given on its website, not that given in the e-mail, as that may be a fake
- Before giving out personal details, ensure that the connection is secured with SSL
- Read the privacy agreement carefully before you hand over any details
- Use unique addresses for each service
- Be aware that companies typically will not ask for credit card or other personal information by e-mail
- Use the latest security software, including web security features, to protect you from going to malicious websites such as phishing sites
- Re-subscribe to potentially breached services with a new e-mail address, and do not trust any e-mail messages sent to the original address.