Epsilon’s Security Flaw Threatens Millions of Businesses, Consumers

 

April 4, 2011

 

Epsilon, a major email marketing company, annually forwards 40 billion messages. The firm purports to be the leading op-in marketing company with some 2,500 corporate customers. Its branding slogan is “Marketing as Usual. Not a Chance.”

Epsilon reportedly emails customers for some pretty big players, including Capitol One, Citibank, Disney, Home Shopping Network, JP Morgan Chase, Kroger, and TiVo.

As expected, Epsilon has an attractive Web site, www.epsilon.com. It touts all kinds of cutting-edge services. The site creates a favorable first impression.

But in my recent visit to the site, an important element was also missing – an unfortunate omen, if you will. You see, appearances in business are important, especially first-impressions about IT security. However, Epsilon has failed to adequately reassure its site’s visitors that it provides cutting-edge security. In today’s IT environment, that’s more than just a gaffe. It suggests a catastrophe of monumental proportions waiting to happen.

Unfortunately, such a security breakdown has already occurred. Indeed, on April 1, 2011, an ominous press release appeared on the company’s Web site. Unfortunately, it was not an April Fool’s joke.

Epsilon published this terse announcement:

Epsilon Notifies Clients of Unauthorized Entry into Email System

IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Epsilon’s notice didn’t please me. You see, the cybercriminals were already at work. Several days prior to the press-release posting on March 30, I became aware that something was amiss – phishing scams trying to entice businesses and consumers to take advantage of so-called offers.

Afterward, Threatpost reported that some of Epsilon’s customers in-turn warned their customers — here’s the warning from Disney Destinations to its customers:

“We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system.  We regret that this incident has occurred and any inconvenience this incident may cause you.  We take your privacy very seriously, and we will continue to work diligently to protect your personal information,” the statement says.

“We want to assure you that your email address was the only personal information we have regarding you that was compromised in this incident. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.”

The two salient lessons from this security debacle:

1. Epsilon and other companies that provide IT services need to make security more of a priority.
2. Businesspeople and consumers need to stay alert to the dangers lurking on the Internet, and IT in general.

In conclusion, what are the solutions for this situation and to prevent more occurrences? My longtime go-to security expert is Dr. Stan Stahl of Citadel Information Group in Los Angeles. Here’s what he had to say in What You Really Need to Know to Stay Web Safe.

Further, noteworthy management lessons have evolved from the alleged data-management program at Epsilon. Obviously, Epsilon’s data management is an oxymoron. It is not managed properly. Here are Management Lessons from Epsilon’s Email-Breach Scandal.

From the Coach’s Corner, Dr. Stahl’s insights were also quoted in this business portal’s all-time most-read column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

Dr. Stahl’s Web site: www.citadel-information.com.

His blog: www.citadel-information.com/blog.

(Note: Dr. Stahl is a valued friend and colleague. This relationship stems from our membership in Consultants West, www.consultantswest.com, a roundtable of some of the nation’s most-trusted consultants and authors.)

What You Must Do to Combat the Malware Epidemic

 

Aug. 11, 2010

The nation’s leading Internet security expert agrees with McAfee – the antivirus firm’s 2010 Q2 report states an epidemic of malware has been unleashed on the Web – and he provides solutions.

 “The report reconfirms everything we’ve been saying since we began our blog 18 months ago. There has been a sea change in cybercrime,” writes Dr. Stan Stahl. “Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.”

Dr. Stahl is a principal in Citadel Information Group, and is president of the Los Angeles Chapter of the Information Systems Security Association.

“The report is a reminder to every organization to take a critical look at its defenses – everything from policies and employee awareness training to modern intrusion prevention systems,” suggests Dr. Stahl. “It needs to make sure it’s employing a cost-effective defense-in-depth strategy covering all three critical security management domains.”

He says the security-management domains include:

1. Corporate security management
2. Security management of the IT infrastructure
3. Point-in time security of the IT infrastructure

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

Indeed, McAfee report does confirm what Dr. Stahl has been telling me. The malware epidemic recently prompted Microsoft to issue an emergency patch. Whatever he recommends, I strongly endorse it.

Two resource links:

• Here’s my original column about McAfee’s report – Security Firm Warns About Historic Malware Levels.
• Dr. Stahl’s Web site: www.citadel-information.com.
• His blog:blog.citadel-information.com.

From the Coach’s Corner, Dr. Stahl has often graciously responded to my requests for information since 2004. His analysis on many IT security topics – from the dangers of mobile banking to using WIFI – can be found in numerous columns here on The Biz Coach site. Simply enter his name as key words in this site’s search in the upper right corner on any these pages.