Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Why the Epsilon Breach May be a Good Thing (so far)


By Ken Magill

Is there anyone out there with a computer and Internet access who hasn’t received an email from one of Epsilon’s clients saying that someone gained unauthorized access to a database containing their email address?

It’s hard to imagine there is.

In an informal survey, everyone I asked—with the exception of one Twitter follower early on—has received at least one warning.

My fifth-grade-teacher sister received several.

“The best one was from Disney,” she said. “They really spelled things out.”

My healthcare-worker sister also confirmed she received at least one warning. “Yes, I knew all about this,” she wrote in an email in response to a message I sent her warning of the breach and its possible consequences.

Then there was the person on Twitter last week who tweeted: “Enough with the Epsilon messages already. I get it!”

I have for years lamented the fact that there hasn’t been an industry-wide campaign to educate consumers about the dangers of email scams. Now there has been one.

Even the press coverage—as hysterical as so much of it has been—has served to educate the public about email scams. Never have so many articles about how to avoid getting phished been published in so many outlets at the same time.

Moreover, the breach has been a wake-up call about the need for increased security to everyone who sends permission-based commercial email.

“To me, this issue isn’t about the loss of an email address or many and whether it’s PII [personally identifiable information] or not. It really is about a very fundamental question: Are we trusted custodians of our customer data?” wrote Dave Lewis, chief marketer for Message Systems, on the Only Influencers discussion forum.

“And the term customer takes on multiple meanings in this context because we’re customers of each other,” Lewis continued. “All of us must be able to answer that question in the affirmative. All of us have too much riding on the outcome not to. We have no choice. So let's find the right forum for taking action and get on with it.”

So far there has been no reported spamming or scamming activity tied to the Epsilon breach. I put out a call on my e-mail-professional-heavy Twitter feed last week asking if anyone had received Epsilon-related spam yet.

The two responses I received were negative.

“I have received no spam to the tagged addresses of mine that are being mailed through Epsilon,” tweeted Word to the Wise’s Steve Atkins, a spam and email-deliverability expert.

Granted, whoever accessed Epsilon’s system may be laying low until things cool off. But currently, it is inarguably true that—besides one fake web page covered below—the only things to happen so far as a result of the Epsilon breach have been a much-needed, massive public education campaign and a major security wake-up call for the commercial email-vendor community.

As long as the ESPs act, the net outcome of this fiasco may very well end up being positive.

The Hysterical Nuttiness Continues

Meanwhile, the headless chickens over at the Coalition Against Unsolicited Commercial Email are refusing to die.

GlaxoSmithKline recently sent email warnings saying it, too, was part of the Epsilon breach.

“The file from which your name and email address were accessed may have identified the product website on which you registered,” the email said.

CAUCE reacted with was has become predictable alarmist absurdity.

“Epsilon Breach: Now criminals know what prescriptions you take,” said the headline of CAUCE’s absurd post.

“Along with your email address and name, the criminals now know which prescription drugs you may take,” the post began. “This makes spear-phishing attempts even more serious, falling for one of these may endanger your health should you buy fake drugs.”

The folks at CAUCE have no idea what information whoever breached Epsilon’s system has or does not have. Moreover, GlaxoSmithKline’s subscribers have now been warned that any email appearing to come from the company that solicits account information is fraudulent.

“CAUCE can't overstate the seriousness of this latest turn of events,” the post continued.

Uh, yes it can. And it has.

This isn’t to say nothing bad can happen as a result of unauthorized access to GlaxoSmithKline’s email files. It is to say, however, that CAUCE’s reaction borders on unhinged.

To make matters worse, in an update on the post, CAUCE claimed that Websense reported there is spam going out pretending to be from Epsilon notifying consumers of new information about the breach.

Websense reported no such thing.

It reported there has been a fake web page set up that attempts to get people to click on a link and download a malicious application of some sort. The report never even mentions the word “spam.”

Political Idiocy Cranks it up a Notch

And from the “duh, well no shit” file comes news that Sen. Richard Blumenthal, D-CT, has requested Epsilon CEO Bryan Kennedy come up with a plan to prevent data hackings in the future.

Blumenthal is also calling for Epsilon to be held accountable.

It apparently hasn’t occurred to Blumenthal that Epsilon’s clients are probably holding it accountable and driving the firm’s executives to “come up with a plan” more viciously and efficiently than Congress ever could.


Show: Newest | Oldest

Post a Comment
Your Name:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Dave Lewis
Date: 2011-04-25 12:07:30
Subject: Let's think about this issue differently. Act differently too.

You’ve been right to call out some of the over-the-top (arguably stupid) assertions made around the Epsilon breach. But there’s another category of statements that offend my sensibilities – those that take this unfortunate incident and an issue core to the well-being of our industry — customer trust — and twist them to their competitive advantage. Or try to, anyway. I recently read an article by another well-known commentator in this space. While saying many things I agreed with and saying them well, the author also characterized the problem and solution in ways that I found to be fundamentally wrong and self-serving. He suggested that the answer was for brands to insource their email and even that consumers should lobby brands to keep their data in-house. Before getting into the particulars of those arguments, let me say this – as marketers, we all know how to manipulate issues to our advantage. That’s part our job and I’ll be the first to admit having done so. Had this article appeared under normal circumstances, it wouldn’t have registered a blip on my radar. But circumstances are not normal and now is not the time for self-serving pursuits. Too much is at stake. When breaches occur, customers don’t differentiate between one company or provider and the next, especially when sensationalized in the press or by politicians with their own agendas. The same dirty brush tars us all. As for the author’s simplistic assessment of the solution (insource instead of outsource), it regrettably ignores the facts and nature of the challenge at hand. Yes, there’s been a string of unfortunate breaches at service providers – some very public, some not. But the facts are that there have been far more breaches (and of a more serious nature) at individual companies. So truly, this is not about whether companies insource or outsource their email or not. We all know there are ways to safeguard customer data in either environment and that there are vulnerabilities in both at present. The issue is not about whether companies can trust their service providers either. It’s about our entire ecosystem being under attack, an attack that’s aimed at all of us — companies and service providers alike and everyone else in this industry who provides technology, product or services that might touch how customer data is captured, stored, transmitted or utilized. As for the suggestion that consumers should somehow lobby to keep their data in-house at companies — really? That’s beyond the pale. I question how further inciting consumers around this issue is helpful to restoring trust. And who exactly is served by this message. It’s certainly doesn’t serve the interests of our industry or advance its efforts to resolve the problem. As I’ve said before, this is a time for us to close ranks as an industry and get on with the real work that needs to be done -- collectively hardening our defenses to prevent breaches and improving our detection capabilities to spot them early when they occur. And this will take collaboration between all industry stakeholders at a business and technical level. As technology providers, I’d submit that we could play a more constructive role by lending our technical expertise to the industry discussion. And, of course, further hardening our own products and making sure clients are well instructed in their security features to protect their valuable data assets. That’s the focus of our company at least. And this brings me to my final point – our ecosystem. We’re all part of this ecosystem and have a stake in protecting it by solving the security issues that jeopardize the trust of our customers. I’m not speaking of an ecosystem in which customer data is irresponsibly shared, but the data-driven ecosystem that the future of digital messaging demands. And the one on which our collective livelihood depends, brings value to companies, and permits them to conduct the ‘relevant dialogues with customers’ to which the author alludes. So let’s dial back our competitive instincts a bit, welcome the innovative thinking and new products that will help us counter the attacks targeted against our individual companies and ecosystem. And as we seek to restore customer trust, let’s not tear at the fabric of the trust relationship that makes our own ecosystem work.