Epsilon Breach Brings out the Stupid
By Ken Magill
Predictably, Epsilon’s well-publicized data breach last week resulted in an avalanche of stupidity—some of it offensive stupidity, some of it hysterical stupidity and some of it silly stupidity.
From the offensive-stupidity file comes news that some senators and house members are calling for Epsilon to release how many people’s email addresses may have been stolen and how the theft happened.
Yeah. That’s what Epsilon should do. Right in the middle of an investigation they should release every detail so they can inform the thieves about what they do and do not know. Oh and let’s not forget the information may be used by new thieves to commit breaches.
And if an ignorant call for potentially investigation-damaging information wasn’t enough, a senior advisor to Rep. Mary Bono Mack R-CA reportedly told eWeek there may be hearings over the incident.
Excuse me, but how many wars are we in? How much money are we spending?
By all means, Mack, spend your time witch-hunting Epsilon over some possibly leaked email addresses so you can avoid actually doing your job.
Meanwhile, from the hysterical-stupidity file—not hysterical as in “funny,” but hysterical as in: “Run for your lives!”—comes the writings of Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email, on CircleID and on CAUCE.org.
“Epsilon Breach the Fukushima of the Email Industry,” was the headline of an April 4 piece on CircleID and CAUCE.org.
Really, Neil? Can you say “inappropriate?”
Fukushima’s an ongoing, horrifying nuclear disaster. The Epsilon breach involved a probable email list theft, the results of which at worst may be some people will receive a few more scam emails—and possibly more personalized—than the dozens per day they already get.
And yes, I referred to the breach as Epsilon Valdez last week but (a) that was a play on words, and (b) the Exxon Valdez oil spill was 20 years ago.
And if the Fukushima comparison wasn’t bad enough, Schwartzman had a piece published on CircleID and the CAUCE website yesterday that was so irresponsible it would take an entire article to refute all of its errors in assumption and logic.
First, Schwartzman states as fact that Epsilon was hacked and email addresses and names were stolen. We don’t know any of this. All we know is there was a breach that may have involved some names and email addresses. A breach doesn’t have to come from outside the company or involve a hack to be a breach.
And we don’t know addresses were stolen. We rightly suspect it—after all, an unauthorized access that didn’t result in a theft would be extraordinarily odd—but we don’t know it.
“Breach” and “access”—the words Epsilon and its clients used to describe the incident—are not synonyms for “stolen.”
Schwartzman also recommended people change their email addresses. Oh, come on. And accomplish what? A spam-free address for all of three days?
Even worse, he suggested people whose addresses may have been accessed sue the companies known to be involved and file complaints with authorities such as the Federal Trade Commission.
Oh, for chrissakes, these are email addresses.
To be fair, Schwartzman didn’t argue that people whose addresses may have been compromised should sue, he wrote that they could, but someone ostensibly in a position of some authority even implying lawsuits are a reasonable action at this point is wildly irresponsible.
Still not finished, he tells consumers they’re the real victims when no consumer has so far been demonstrably victimized in any way.
And lastly, or at least the last bit I’ll address here, he makes an unreasonable demand and advocates boycotting the companies involved if the unreasonable demand is not met.
“If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business,” he wrote.
First, consumers don’t have relationships with Epsilon. And, um, excuse me, but in order to take public action, wouldn’t Epsilon have to make the public—which includes spammers and criminals—aware of the details of what they’ve done?
Message to Schwartzman and everyone else who has been calling for more public information from Epsilon: They can’t talk. They’re involved with the feds. The first thing the feds tell you is to shut up.
I will concede that Epsilon could have done a better job of explaining why they can’t talk, however.
[Author’s note: I’ve known Schwartzman for years. He is a dedicated, passionate, intelligent professional. But in this case, someone had to call bullshit. Something tells me he ain’t buying me a beer anytime soon, though.]
Meanwhile, from the silly-stupidity file comes an article on Business Insider touting a company that provides an unsubscribe button.
“After email marketing company Epsilon let millions of email addresses slip this weekend, you should prepare yourself for an onslaught of spam,” began the article as if an onslaught of spam would be something new.
“If you are on the email list for any of the affected companies, there's a quick and easy way to unsubscribe from their email list,” the piece continued. “The company Unsubscribe has a service that loads a button on to any major email client that will remove you from just about any email list.”
First, wouldn’t unsubscribing Epsilon’s clients’ lists now be like trying to unring a bell?
And second, if someone steals an email list, what are the chances thieves honor unsubscribes, even one done using a big button supplied by a third party?
In all the hysteria and silliness that has been said and published as a result of the Epsilon breach, one rational, level-headed assessment stood out—a blog post by Steve Atkins on Word to the Wise headlined: “Epsilon—Keep Calm and Carry On.”
Though he also makes the probably correct, but as-yet-unproven, assumption names and addresses were stolen, he gives a calm, reasoned explanation of what consumers can expect.
Read it here.