Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Epsilon Breach Brings out the Stupid

4/12/11

By Ken Magill

Predictably, Epsilon’s well-publicized data breach last week resulted in an avalanche of stupidity—some of it offensive stupidity, some of it hysterical stupidity and some of it silly stupidity.

From the offensive-stupidity file comes news that some senators and house members are calling for Epsilon to release how many people’s email addresses may have been stolen and how the theft happened.

Yeah. That’s what Epsilon should do. Right in the middle of an investigation they should release every detail so they can inform the thieves about what they do and do not know. Oh and let’s not forget the information may be used by new thieves to commit breaches.

And if an ignorant call for potentially investigation-damaging information wasn’t enough, a senior advisor to Rep. Mary Bono Mack R-CA reportedly told eWeek there may be hearings over the incident.

Excuse me, but how many wars are we in? How much money are we spending?

By all means, Mack, spend your time witch-hunting Epsilon over some possibly leaked email addresses so you can avoid actually doing your job.

Meanwhile, from the hysterical-stupidity file—not hysterical as in “funny,” but hysterical as in: “Run for your lives!”—comes the writings of Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email, on CircleID and on CAUCE.org.

“Epsilon Breach the Fukushima of the Email Industry,” was the headline of an April 4 piece on CircleID and CAUCE.org.

Really, Neil? Can you say “inappropriate?”

Fukushima’s an ongoing, horrifying nuclear disaster. The Epsilon breach involved a probable email list theft, the results of which at worst may be some people will receive a few more scam emails—and possibly more personalized—than the dozens per day they already get.

And yes, I referred to the breach as Epsilon Valdez last week but (a) that was a play on words, and (b) the Exxon Valdez oil spill was 20 years ago.

And if the Fukushima comparison wasn’t bad enough, Schwartzman had a piece published on CircleID and the CAUCE website yesterday that was so irresponsible it would take an entire article to refute all of its errors in assumption and logic.

First, Schwartzman states as fact that Epsilon was hacked and email addresses and names were stolen. We don’t know any of this. All we know is there was a breach that may have involved some names and email addresses. A breach doesn’t have to come from outside the company or involve a hack to be a breach.

And we don’t know addresses were stolen. We rightly suspect it—after all, an unauthorized access that didn’t result in a theft would be extraordinarily odd—but we don’t know it.

“Breach” and “access”—the words Epsilon and its clients used to describe the incident—are not synonyms for “stolen.”

Schwartzman also recommended people change their email addresses. Oh, come on. And accomplish what? A spam-free address for all of three days?

Even worse, he suggested people whose addresses may have been accessed sue the companies known to be involved and file complaints with authorities such as the Federal Trade Commission.

Oh, for chrissakes, these are email addresses.

To be fair, Schwartzman didn’t argue that people whose addresses may have been compromised should sue, he wrote that they could, but someone ostensibly in a position of some authority even implying lawsuits are a reasonable action at this point is wildly irresponsible.

Still not finished, he tells consumers they’re the real victims when no consumer has so far been demonstrably victimized in any way.

And lastly, or at least the last bit I’ll address here, he makes an unreasonable demand and advocates boycotting the companies involved if the unreasonable demand is not met.

“If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business,” he wrote.

First, consumers don’t have relationships with Epsilon. And, um, excuse me, but in order to take public action, wouldn’t Epsilon have to make the public—which includes spammers and criminals—aware of the details of what they’ve done?

Message to Schwartzman and everyone else who has been calling for more public information from Epsilon: They can’t talk. They’re involved with the feds. The first thing the feds tell you is to shut up.

I will concede that Epsilon could have done a better job of explaining why they can’t talk, however.

[Author’s note: I’ve known Schwartzman for years. He is a dedicated, passionate, intelligent professional. But in this case, someone had to call bullshit. Something tells me he ain’t buying me a beer anytime soon, though.]

Meanwhile, from the silly-stupidity file comes an article on Business Insider touting a company that provides an unsubscribe button.

“After email marketing company Epsilon let millions of email addresses slip this weekend, you should prepare yourself for an onslaught of spam,” began the article as if an onslaught of spam would be something new.

“If you are on the email list for any of the affected companies, there's a quick and easy way to unsubscribe from their email list,” the piece continued. “The company Unsubscribe has a service that loads a button on to any major email client that will remove you from just about any email list.”

First, wouldn’t unsubscribing Epsilon’s clients’ lists now be like trying to unring a bell?

And second, if someone steals an email list, what are the chances thieves honor unsubscribes, even one done using a big button supplied by a third party?

In all the hysteria and silliness that has been said and published as a result of the Epsilon breach, one rational, level-headed assessment stood out—a blog post by Steve Atkins on Word to the Wise headlined: “Epsilon—Keep Calm and Carry On.”

Though he also makes the probably correct, but as-yet-unproven, assumption names and addresses were stolen, he gives a calm, reasoned explanation of what consumers can expect.

Read it here.

Comments

Show: Newest | Oldest

Post a Comment
Your Name:
Subject:
Comments:
Verification:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Spammed to Death
Date: 2011-04-27 15:27:30
Subject: way to much

Why should they not be held accountable for the breach..maybe they should of spent more cash to make sure they couldnt be breached..Not to long ago I started getting junk spam, all sorts of crap, win this, win that, buy this, buy that, jackpots etc, thought I was hacked then came the Epsilon notices from several companies I have dealt with..bottom line.... they hold the info and I entrusted them with it..I get appx 20 or more junk mails now everyday from zero (unless I had allowed it). I have added more security but still I, ya me, hold them responsible. And no I didnt panic..just pisses me off as now I have to deal with it everyday, looking thru email and then having to look thru spam to see what is good or isnt good.
Posted by: Ken Magill
Date: 2011-04-12 16:27:10
Subject: Consumers vs ESPs

Jeff: We don't disagree, but the ESP image-management problem is being driven by what is being written in the consumer press and blogosphere. Steve's reasoned approach injected some much needed sanity.
Posted by: Ken Magill
Date: 2011-04-12 16:21:03
Subject: Stolen

Steve: And all that is required to be safe and correct is a minor word tweek, like "probably stolen." I know it sounds picky, but professional journalists wrestle with this stuff all the time. Your piece was still great, though.
Posted by: Ken Magill
Date: 2011-04-12 16:16:25
Subject: stolen

As long as remotely possible, no matter how slight, that the names weren't stolen, you can't say they were. I would be shocked if they weren't--really shocked--but we shouldn't state as fact they were.
Posted by: Steve Atkins
Date: 2011-04-12 16:05:38
Subject: Consumers vs ESPs and marketers

@Jeff "Keep Calm and Carry On" is talking about what recipients / consumers need to do. What ESPs and marketers need to do is quite different (though, IMO, it's more about managing image than network security).
Posted by: Steve Atkins
Date: 2011-04-12 16:03:35
Subject: Not "stolen", but "thieves" "compromised" email and "information was obtained"

Epsilon's stated that "information was obtained" by the cracker - which suggests that they think that the cracker not only had potential access to the names and addresses, but that they also accessed that data. That's "stolen" by that point. They're also describing the email addresses as "compromised" and apologizing for spam that may sent as a result of the incident. They're also describing the crackers as "thieves". While it's *possible* the email addresses may not have been stolen, Epsilon (who have all the information about the incident) are signaling very clearly that they think they've been stolen. It doesn't mean that it was *necessarily* taken with any malicious intent, nor that it'll be shared with spammers or phishers, though that's obviously a strong possibility. We'll wait until the tagged addresses that were there are used by someone else before we can say that for sure.
Posted by: Ken Magill
Date: 2011-04-12 15:56:45
Subject: What side of the ocean

Thanks Jeff: I'm not saying this incident shouldn't be taken seriously, just more factually and level-headedly. If people weren't blowing things way out of proportion and claiming to know things they can't know, a lot less shit would be hitting the fan.
Posted by: Ken Magill
Date: 2011-04-12 15:40:05
Subject: "stolen"

Epsilon never used the word "stolen." I had another editor check my back on that. It's an important distinction.
Posted by: Jeff Ginsberg
Date: 2011-04-12 15:34:29
Subject: Which side of the ocean do you swim in

Hi Ken... Although I agree with your point about disclosure and investigation, the part I don't is simple. This incident affects all of us differently. Many of my clients are very upset at this data breach and if you are a client of Epsilon or hosting your data there it has different ramifications than if you don't. BTW...not really sure of any ESP that has not rethought or revised their privacy and data security policy because of this, so in essence it has affected the entire industry. This incident is not a nuclear meltdown but rather a wake-up call to our industry. As for your reference: Steve Atkins on Word to the Wise headlined: "Epsilon—Keep Calm and Carry On.” This might be ok for you Ken, but for me it's been shit is hitting the fan left right and center, now we need a cleanup in isle 3, 4, and 5. My2sense. Jeff
Posted by: Steve Atkins
Date: 2011-04-12 15:28:58
Subject: What was stolen

Epsilon have stated that only names and email addresses were stolen. Given how ESPs tend to process data I find their statement fairly plausible. And if they were trying to minimize the apparent impact by intentionally understating what data was taken I'd expect them to be using different language. If more information comes in suggesting that other data was taken then that'd change things, but unless it does I'm going to presume that it's just names and email addresses (and the associated list owner). http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Alliance_Data_Provides_Statement_Surrounding_Unauthorized_Entry_Incident_at_Epsilon_Subsidiary/p1061-l3

Xverify