Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Epsilon Valdez: How Bad Might it Get?

4/05/11

By Ken Magill

Call it the warning message sent round the world.

What is potentially the largest known email list theft in history has resulted in probably the most warning messages sent to consumers concerning the same event ever.

Over the past four days some of the most well-known brands in the world have been sending customers messages warning that marketing services provider Epsilon’s systems have been breached and that their addresses may have been compromised as a result.

Epsilon is the largest permission-based email marketing services provider in the world. According to the company’s Web site, it sends more than 40 billion emails annually for more than 2,500 clients, including seven of the Fortune 10.

As a result, the breach was potentially massive.

But the big question is: How much damage can the thieves do with the stolen files?

The answer is: It depends on how much information they were able to get. And how much data they were able to get apparently depends largely on how Epsilon’s clients’ databases were set up.

The company on April 1 published a statement revealing its systems had been breached.

“On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system,” the statement said. Epsilon claimed the information that was stolen was limited to email addresses and/or customer names.

Security experts are warning that the thieves may be able to use address holders’ trusted relationships with the affected brands to send personalized scams aiming to get people to reveal account numbers and passwords—spear phishing in Internet parlance.

Information as seemingly insignificant as just the recipient’s first name could be used to personalize messages containing links to malware, making it more likely people will click on them.

However, if the thieves stole only email addresses, little more is likely to result than some new spam sent across an Internet already awash in it.

“It would be like throwing a bucket of water in a swimming pool and waiting for the water level to rise,” said John Caldwell, founder of Red Pill Email, a consultancy that specializes in the tactical and technical aspects of email.

According to Caldwell, how much information the thieves were able to access depends largely on whether Epsilon’s clients set up their databases to use so-called relational tables, where different customer attributes are kept in different files.

Caldwell said if all the customer information is kept in the same table as the email addresses, the thieves would get the customer information as part of the theft.

“If you have one table that contains all of your data fields—you know, email address, first name, last name, address, phone number, shoe size—then when they steal that table they steal everything,” he said. “They’re going to be looking for email addresses, but if the data table that contains the email addresses also contains all the other information, then bonus.”

However, he said, if the information is kept in multiple data tables, it makes it more difficult for thieves to get more than just the email addresses.

“You really have to know what you’re looking for,” said Caldwell. “Keep in mind that each of these [Epsilon] customers has a different account so they [the thieves] are already going to be looking at a lot of data tables. As a result, they’re going to be looking for tables that contain the ‘at’ sign.”

But while Epsilon may offer relational table capabilities, it’s up to the client to use them, and many don’t, said Caldwell.

“Even if they [the ESPs] have it [relational table capabilities] the client has to configure it and most don’t because the guy that knows how to do that costs more than the guy who just hits ‘send,’” he said. “It’s the difference between a $40,000-a-year guy and an $80,000-a-year guy.”

Here’s to hoping Epsilon’s clients hired the $80,000-a-year guys.

Comments

Show: Newest | Oldest

Post a Comment
Your Name:
Subject:
Comments:
Verification:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: John Caldwell
Date: 2011-04-05 20:00:21
Subject: Epsilon

First we have to separate Epsilon as a vendor from their user accounts. ALL ESPs are built relationally; the structure of their clients is different. Data integrations and table architecture are two different things. If Epsilon developed the client data table structure within the client account as part of a managed service and put everything into a flat file per client spec, that's what they were tasked to do. If the client manages their own account and opted for a big flat file for user data if a relational table structure was available either they're lazy or don't know any better. Most data tables are not set up with security in mind, and to have the vendor set it up usually comes with additional costs. Data is primarily set up to accommodate present and future use as it pertains to the strategic goals of the messaging programs. Secondarily, up until a week ago, data integrations did not concern themselves with security based solely on the fact of assumed security by the vendor If someone has a "master key" that exposes all of the data tables hosted on the vendor, they are going to be going after the "big stuff", like data tables contain the "@" sign (or number structure (xxx-xxx-xxxx or xxxx xxxx xxxx xxxx). They aren't going to be perusing the hundreds or thousands of data tables at the client account level looking for Primary Keys so that they can join tables, and then try to figure out what those tables might be. And more often than not, and up until not too many years ago, the email address *was* (and still is in many cases) the Primary Key on relational tables anyway. So, just because you're using relational tables doesn't mean that data might not have gotten picked up, too. This just scratches the surface; this rabbit hole runs deep….
Posted by: Mark Vogel
Date: 2011-04-05 16:11:08
Subject: Epsilon

I'm sure this event will drive changes in the way large emailers manage their data. Like Adam, I'd assume that a company of Epsilon's rep would employ state-of-the-art processes. I'd be surprised if this has any long term negative effect on Epsilon. I can't imagine what other ESPs would say they are doing that Epsilon wasn't already doing. As an email marketer, I just hope that list-owners don't use this event as a reason to reduce legit best-practice email marketing activity.
Posted by: Adam
Date: 2011-04-05 15:04:14
Subject: Tables and Data

I would assume epsilon has relational tables and that they have specific people who work on the data integrations. These people are not the people who hit send and make more than $40,000. Also, these tables probably have some sort of numeric id, instead of 'Best Buy' for instance. Wouldn't this make it harder to the hackers to match back the email records to a specific client and subsequently use it for phishing scams? Unless of course they stole the mapping table also. I think the real scare is how much trust these clients have in Epsilon to not allow this to happen again. Interesting to see if other ESP's use this to their advantage in sales pitches and if we see a movement away from Epsilon.

Xverify