Security experts warn businesses not to underestimate e-mail data breaches

Security experts are warning businesses not to underestimate the significance of e-mail data breaches.

Security experts are warning businesses not to underestimate the significance of e-mail data breaches, such as the one at US marketing firm Epsilon.

The breach has had a huge knock-on effect on Epsilon's customers, which include Marks & Spencer and the Ritz-Carlton.

Both these companies have issued warnings to customers to expect an increase in spam e-mail, as have other, mainly US-based, companies that use Epsilon's services, including the hotel chains Marriott and Hilton, Best Buy, TiVo, Walgreens and JPMorgan Chase.

The notification letters, however, imply that the risk is fairly limited, emphasising that only names and e-mail addressers were stolen, and not any other personally identifiable information.

"In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam e-mails requesting personal or sensitive information," says the notification from Ritz-Carlton.

But Paul Davis, director of European operations at security firm FireEye, says data theft accounts for 33% of all attacks, and although an increase in spam is an obvious outcome, not so obvious is the increased risk of targeted malware attacks seeking to infiltrate company systems.

"The loss of personal data is the initial step in a series of potential exploits, from mass spam through to advanced targeted malware, which seeks to establish a beachhead within corporate systems for subsequent exploit and data exfiltration," he says.

Frank Coggrave, general manager EMEA at Guidance Software, says the Epsilon data breach also highlights that no one is safe from these increasingly sophisticated and targeted attacks.

"Since attacks consistently break through even the toughest of security systems, organisations need to focus on deploying incident response plans to mitigate the effects," he says.

Incident response plans should be designed to enable organisations to find out where the attacks have come from and determine the full extent of the damage, says Coggrave.

This information is essential to improving checks and processes to ensure the threat is not reintroduced, he says.

Read more on IT risk management