Epsilon Valdez: How Bad Might it Get?
By Ken Magill
Call it the warning message sent round the world.
What is potentially the largest known email list theft in history has resulted in probably the most warning messages sent to consumers concerning the same event ever.
Over the past four days some of the most well-known brands in the world have been sending customers messages warning that marketing services provider Epsilon’s systems have been breached and that their addresses may have been compromised as a result.
Epsilon is the largest permission-based email marketing services provider in the world. According to the company’s Web site, it sends more than 40 billion emails annually for more than 2,500 clients, including seven of the Fortune 10.
As a result, the breach was potentially massive.
But the big question is: How much damage can the thieves do with the stolen files?
The answer is: It depends on how much information they were able to get. And how much data they were able to get apparently depends largely on how Epsilon’s clients’ databases were set up.
The company on April 1 published a statement revealing its systems had been breached.
“On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system,” the statement said. Epsilon claimed the information that was stolen was limited to email addresses and/or customer names.
Security experts are warning that the thieves may be able to use address holders’ trusted relationships with the affected brands to send personalized scams aiming to get people to reveal account numbers and passwords—spear phishing in Internet parlance.
Information as seemingly insignificant as just the recipient’s first name could be used to personalize messages containing links to malware, making it more likely people will click on them.
However, if the thieves stole only email addresses, little more is likely to result than some new spam sent across an Internet already awash in it.
“It would be like throwing a bucket of water in a swimming pool and waiting for the water level to rise,” said John Caldwell, founder of Red Pill Email, a consultancy that specializes in the tactical and technical aspects of email.
According to Caldwell, how much information the thieves were able to access depends largely on whether Epsilon’s clients set up their databases to use so-called relational tables, where different customer attributes are kept in different files.
Caldwell said if all the customer information is kept in the same table as the email addresses, the thieves would get the customer information as part of the theft.
“If you have one table that contains all of your data fields—you know, email address, first name, last name, address, phone number, shoe size—then when they steal that table they steal everything,” he said. “They’re going to be looking for email addresses, but if the data table that contains the email addresses also contains all the other information, then bonus.”
However, he said, if the information is kept in multiple data tables, it makes it more difficult for thieves to get more than just the email addresses.
“You really have to know what you’re looking for,” said Caldwell. “Keep in mind that each of these [Epsilon] customers has a different account so they [the thieves] are already going to be looking at a lot of data tables. As a result, they’re going to be looking for tables that contain the ‘at’ sign.”
But while Epsilon may offer relational table capabilities, it’s up to the client to use them, and many don’t, said Caldwell.
“Even if they [the ESPs] have it [relational table capabilities] the client has to configure it and most don’t because the guy that knows how to do that costs more than the guy who just hits ‘send,’” he said. “It’s the difference between a $40,000-a-year guy and an $80,000-a-year guy.”
Here’s to hoping Epsilon’s clients hired the $80,000-a-year guys.