Epsilon’s Security Flaw Threatens Millions of Businesses, Consumers

 

April 4, 2011

 

Epsilon, a major email marketing company, annually forwards 40 billion messages. The firm purports to be the leading op-in marketing company with some 2,500 corporate customers. Its branding slogan is “Marketing as Usual. Not a Chance.”

Epsilon reportedly emails customers for some pretty big players, including Capitol One, Citibank, Disney, Home Shopping Network, JP Morgan Chase, Kroger, and TiVo.

As expected, Epsilon has an attractive Web site, www.epsilon.com. It touts all kinds of cutting-edge services. The site creates a favorable first impression.

But in my recent visit to the site, an important element was also missing – an unfortunate omen, if you will. You see, appearances in business are important, especially first-impressions about IT security. However, Epsilon has failed to adequately reassure its site’s visitors that it provides cutting-edge security. In today’s IT environment, that’s more than just a gaffe. It suggests a catastrophe of monumental proportions waiting to happen.

Unfortunately, such a security breakdown has already occurred. Indeed, on April 1, 2011, an ominous press release appeared on the company’s Web site. Unfortunately, it was not an April Fool’s joke.

Epsilon published this terse announcement:

Epsilon Notifies Clients of Unauthorized Entry into Email System

IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Epsilon’s notice didn’t please me. You see, the cybercriminals were already at work. Several days prior to the press-release posting on March 30, I became aware that something was amiss – phishing scams trying to entice businesses and consumers to take advantage of so-called offers.

Afterward, Threatpost reported that some of Epsilon’s customers in-turn warned their customers — here’s the warning from Disney Destinations to its customers:

“We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system.  We regret that this incident has occurred and any inconvenience this incident may cause you.  We take your privacy very seriously, and we will continue to work diligently to protect your personal information,” the statement says.

“We want to assure you that your email address was the only personal information we have regarding you that was compromised in this incident. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.”

The two salient lessons from this security debacle:

1. Epsilon and other companies that provide IT services need to make security more of a priority.
2. Businesspeople and consumers need to stay alert to the dangers lurking on the Internet, and IT in general.

In conclusion, what are the solutions for this situation and to prevent more occurrences? My longtime go-to security expert is Dr. Stan Stahl of Citadel Information Group in Los Angeles. Here’s what he had to say in What You Really Need to Know to Stay Web Safe.

Further, noteworthy management lessons have evolved from the alleged data-management program at Epsilon. Obviously, Epsilon’s data management is an oxymoron. It is not managed properly. Here are Management Lessons from Epsilon’s Email-Breach Scandal.

From the Coach’s Corner, Dr. Stahl’s insights were also quoted in this business portal’s all-time most-read column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

Dr. Stahl’s Web site: www.citadel-information.com.

His blog: www.citadel-information.com/blog.

(Note: Dr. Stahl is a valued friend and colleague. This relationship stems from our membership in Consultants West, www.consultantswest.com, a roundtable of some of the nation’s most-trusted consultants and authors.)

Trends in Human Resources Management – Wharton Study

 

Some intriguing revelations have to come to light concerning developments in human resources management, according to a Wharton study.

The study considered trends in the human resources management of Fortune 100 firms – in 1999 and again in 2009 – and it provides insights for the future. All the answers led to one conclusion. HR is being accorded higher regard as a profession.

The study: “Who gets the top job? Changes in the attributes of human resource heads and implications for the future.”

It was researched by Dr. Peter Cappelli, a Wharton management professor, and Yang Yang, a Wharton post-doctoral fellow.

As for who gets the top job, 27 percent of the HR managers were women before the decade began. Now, 42 percent of HR managers are women.

The average HR manager is 53 years old. That’s up from 50.

“Why is not completely clear,” said Dr. Cappelli. “It could be a sign that the area has been stagnant as opposed to others.”

Conventional wisdom is that HR managers are required to have a broad business background. That was especially true in 1999 during a period of high employment.

During the Great Recession with dwindling union membership rolls and high unemployment, HR executives tend to have more of a traditional HR background. But Dr. Cappelli indicates it’s expected “top leaders” have general-business acumen to understand the big picture facing their companies.

The data shows they’re hired as HR managers 39 percent of the time from other firms. That’s down from 41 percent in 1999.

However, it also indicates the managers were hired at lower levels and promoted in a short period of time to the top HR spots later.

Preferred Experience

Many had experience working in these companies: Citibank, Dell, Hallmark, Morgan Stanley, Pepsi and Verizon.

“When a new person takes over that top role, the change in his or her attributes is quite likely to say something about the change in the priorities the CEO has for human resources going forward. Looking at how the backgrounds of these top executives have been changing should tell us something very important about trends in how corporate leadership sees the HR function,” according to the researchers.

While HR managers in the Fortune 100 tend to have bachelor’s and master’s degrees, fewer have doctorates.

Nearly 50 percent had international experience – especially in top 60 – a 300 percent increase over 1999 levels.

Twenty percent in 2009 had communications and corporate affairs experience.

Accountability has taken on more importance.

“The adage, ‘You can’t manage what you don’t measure,’ reflects this move to get more serious about control systems, especially where the costs are high,” said Dr. Cappelli.

“While HR lacks the glamour within the business community of fields like strategy, its actions have a profound effect on the lives of employees,” the authors wrote. “Human resources is a crucial point of intersection between the broader society and business,” wrote the researchers.

The study showed just four of the HR managers remained lasted from 1999 to 2009.

The study was funded by PricewaterhouseCoopers.

From the Coach’s Corner, for more on the importance of HR management as a profession, please see this Biz Coach column:  If Mergers & Acquisitions Tempt You, Consult HR Pros.

How to Protect Yourself from the Internet Crime Wave

Jan. 22, 2010

 

For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline was alarming.

The Wall Street Journal headline: “FBI Probes Hack at Citibank – Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach.”

The article on December 22, 2009 was the last we’ve seen about the Citibank situation. The reported multimillion dollar loss – a public relations nightmare for Citibank – has been hushed up.

Many online security experts say online fraud is skyrocketing and there are FBI warnings about online fraud and related scams.

Such cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

About three weeks after the Citibank report, online-banking warnings were issued by the American Bankers Association and FBI (“Cybercrooks stalk small businesses that bank online”). The warnings followed a wave of cybercrime afflicting small businesses, public-sector agencies, churches, schools, and other non-profits.

Cybercrime methods

Many crooks are using what are called “banking Trojans.” Here’s a typical case: “New Trojan Intercepts Online Banking Information – PC World.”

A cybersecurity expert, Dr. Stan Stahl, recently developed a plot line in another cybercrime issue, which is applicable to the banking scams.

“The plot line isn’t with Citibank but related to the recent web attack on Twitter that redirected users to the ‘Iranian Cyber Army.’ This same type of attack – stealing the UserID/password of Twitter DNS administrator and then changing the DNS to point to the Iranian Cyber Army – could be used to create a “cybercriminal-in-the-middle” attack against an eCommerce site,” he said.

Dr. Stahl further explained the cybercriminal is then able to steal a consumer’s sensitive credit-card information and seize control of the victim’s computer.

He is a widely known pioneer in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

“I feel the banks must bear a significant share of the responsibility because they have the knowledge of what’s happening yet, in my experience and based on what I’ve been told by people in law enforcement, they are not working the problem with their customers nor are they supporting law enforcement by sharing what they know,” said Dr. Stahl. “They strike me as wanting to pretend this isn’t a problem.”

It’s true insurance companies reimburse victims of cybercrime. But cybercrime is expensive.

A client once hired Dr. Stahl to investigate a $1 million loss from an online banking theft, and I reported the details in this column, “5 Safety Measures to Thwart Mounting Social-Network Attacks.” He says it resulted in an expensive legal struggle.

“The lawsuit I’m involved in, for example, is between two insurance companies; both will lose dollars regardless of how the suit turns out,” Dr. Stahl explained. “If the insurance companies made bank cooperation with law enforcement a policy requirement, we’d get a lot more cooperation and the insurance companies would have fewer claims to pay.”

He is also assertive in explaining his perspective on the Internet-security issue, Google vs. China.

“There is little in the Google story that the information security community didn’t already know except for the specific vulnerabilities that were exploited,” he said. “What is new – and important – is that now the world knows. For our business, it’s just one more example we can point to of how unsafe the internet is. Plus, because it’s Google, the cybercrime has been deconstructed more thoroughly than usual. Kudos to Google.”

Smartphone dangers

A published report, “BBC News – Cybercriminals revive old scams to target smartphones,” raises the specter about threats against mobile phones.

The BBC smartphone report prompts this question from Dr Stahl: “How long will it take until this type of malware is used to steal online bank credentials?”

Here are some of his tips to enhance your personal online security:

• Review all privacy and policy information.
• Use unique and hard to guess login information.
• Protect your computer.
• Check your account balance regularly.
• Pay using credit cards.
• Do not access your account from public locations.
• Verify email correspondence from bank.
• If your account is compromised, take swift action.

For your company’s management controls:

• Don’t allow your employees to use your computers in social networking.
• Establish a list of allowable web-sites.
• Closely monitor your bank account.
• Train employees in social engineering awareness.
• Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
• Strengthen your defenses.

(Note: I know Dr. Stahl well as a trusted expert, and I’ve interviewed him on multiple occasions. He and I are members of a roundtable of veteran consultants, Consultants West, www.consultantswest.com.)

Resource links:

• Dr. Stahl’s Web site – www.citadel-information.com.
• His blog – www.citadelonsecurity.blogspot.com

From the Coach’s Corner, here are additional security tips:

• If you’re a cyber victim, contact a noted security expert and authorities (How to Report E-Scams and Hoaxes to the FBI).
• If you want to help the victims in Haiti: “Only donate through the Red Cross or other well-established charity organizations,” said Dr. Stahl. Ignore all email solicitations. They could be fake and prudence requires that one assume they are. There are lots of known safe groups through which one can contribute; no reason to take a risk here.”