Why the Epsilon Breach May be a Good Thing (so far)
By Ken Magill
Is there anyone out there with a computer and Internet access who hasn’t received an email from one of Epsilon’s clients saying that someone gained unauthorized access to a database containing their email address?
It’s hard to imagine there is.
In an informal survey, everyone I asked—with the exception of one Twitter follower early on—has received at least one warning.
My fifth-grade-teacher sister received several.
“The best one was from Disney,” she said. “They really spelled things out.”
My healthcare-worker sister also confirmed she received at least one warning. “Yes, I knew all about this,” she wrote in an email in response to a message I sent her warning of the breach and its possible consequences.
Then there was the person on Twitter last week who tweeted: “Enough with the Epsilon messages already. I get it!”
I have for years lamented the fact that there hasn’t been an industry-wide campaign to educate consumers about the dangers of email scams. Now there has been one.
Even the press coverage—as hysterical as so much of it has been—has served to educate the public about email scams. Never have so many articles about how to avoid getting phished been published in so many outlets at the same time.
Moreover, the breach has been a wake-up call about the need for increased security to everyone who sends permission-based commercial email.
“To me, this issue isn’t about the loss of an email address or many and whether it’s PII [personally identifiable information] or not. It really is about a very fundamental question: Are we trusted custodians of our customer data?” wrote Dave Lewis, chief marketer for Message Systems, on the Only Influencers discussion forum.
“And the term customer takes on multiple meanings in this context because we’re customers of each other,” Lewis continued. “All of us must be able to answer that question in the affirmative. All of us have too much riding on the outcome not to. We have no choice. So let's find the right forum for taking action and get on with it.”
So far there has been no reported spamming or scamming activity tied to the Epsilon breach. I put out a call on my e-mail-professional-heavy Twitter feed last week asking if anyone had received Epsilon-related spam yet.
The two responses I received were negative.
“I have received no spam to the tagged addresses of mine that are being mailed through Epsilon,” tweeted Word to the Wise’s Steve Atkins, a spam and email-deliverability expert.
Granted, whoever accessed Epsilon’s system may be laying low until things cool off. But currently, it is inarguably true that—besides one fake web page covered below—the only things to happen so far as a result of the Epsilon breach have been a much-needed, massive public education campaign and a major security wake-up call for the commercial email-vendor community.
As long as the ESPs act, the net outcome of this fiasco may very well end up being positive.
The Hysterical Nuttiness Continues
Meanwhile, the headless chickens over at the Coalition Against Unsolicited Commercial Email are refusing to die.
GlaxoSmithKline recently sent email warnings saying it, too, was part of the Epsilon breach.
“The file from which your name and email address were accessed may have identified the product website on which you registered,” the email said.
CAUCE reacted with was has become predictable alarmist absurdity.
“Epsilon Breach: Now criminals know what prescriptions you take,” said the headline of CAUCE’s absurd post.
“Along with your email address and name, the criminals now know which prescription drugs you may take,” the post began. “This makes spear-phishing attempts even more serious, falling for one of these may endanger your health should you buy fake drugs.”
The folks at CAUCE have no idea what information whoever breached Epsilon’s system has or does not have. Moreover, GlaxoSmithKline’s subscribers have now been warned that any email appearing to come from the company that solicits account information is fraudulent.
“CAUCE can't overstate the seriousness of this latest turn of events,” the post continued.
Uh, yes it can. And it has.
This isn’t to say nothing bad can happen as a result of unauthorized access to GlaxoSmithKline’s email files. It is to say, however, that CAUCE’s reaction borders on unhinged.
To make matters worse, in an update on the post, CAUCE claimed that Websense reported there is spam going out pretending to be from Epsilon notifying consumers of new information about the breach.
Websense reported no such thing.
It reported there has been a fake web page set up that attempts to get people to click on a link and download a malicious application of some sort. The report never even mentions the word “spam.”
Political Idiocy Cranks it up a Notch
And from the “duh, well no shit” file comes news that Sen. Richard Blumenthal, D-CT, has requested Epsilon CEO Bryan Kennedy come up with a plan to prevent data hackings in the future.
Blumenthal is also calling for Epsilon to be held accountable.
It apparently hasn’t occurred to Blumenthal that Epsilon’s clients are probably holding it accountable and driving the firm’s executives to “come up with a plan” more viciously and efficiently than Congress ever could.