Last night was the culmination of March Madness for the men’s NCAA basketball teams and the University of Connecticut won (Go Huskies!). Tonight the women meet to decide on a national champion. These college games have garnered a lot of attention from the president of the United States to people all over the world. It is truly madness and fun.
Unfortunately there has been another madness in the world of data security. The last few weeks have seen headlines from major companies all over the world being breached.
BP lost a laptop with the names of thousands of oil spill victims. Saint Francis Health System in Oklahoma had a PC stolen with the personal information of 84,000 patients.
Just a few days ago was one that may affect millions of people. Epsilon Data Management is a large database marketing services provider that sends email on behalf of thousands of major corporations. Hackers stole an email list from Epsilon that contains names and email addresses of potentially millions of customers. A few of the companies affected include Barclays Bank, Best Buy, Capital One, Citigroup, Hilton, JPMorgan Chase, Kroger, Marriott, U.S. Bancorp and Walgreens. Epsilon says it sent 40 billion emails last year to customers on behalf of its clients.
Already people have gotten email notifications from these companies informing them of the breach. I just got one yesterday. The beginning of the email is as follows:
Dear Ron,
We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.
Consider these tips to help protect your personal information online:
- Don’t email personal or financial information.
- Don’t reply to or click on links in email or pop-up messages that ask for personal information.
- Use anti-virus and anti-spyware software and a firewall.
- Use caution when opening attachments or downloading files from email.
The reason this is worse than it appears is that the names and addresses are tied to the companies to whom they have a relationship. The major concern from everyone is that hackers and criminals will use this information for spear phishing. That’s an attack where someone sends you a personal email that appears to be legitimate and asks you for confidential information, like your credit card, a password, an account number or social security information. This is worse than regular phishing scams because the email appears to come from someone you may know and trust. If I see what looks like a legitimate email from my bank, I will probably look at it. It looks legitimate, so I act.
This data breach points out a few things that businesses need to think about.
- You need to protect and control your customer information.
- You need to protect and control the dissemination and use of your customer information to 3rd parties.
- You are not only responsible for the information that you keep, but also the information that your partners and vendors keep.
- You need to audit your own data security policies, procedures and practices.
- You need to audit your partner’s data security policies, procedures and practices.
The Payment Card Industry Data Security Standard (PCI DSS) is one set of guidelines that attempts to secure consumer and business credit card information. The rules stipulate security measures for the storage, use and transmission of confidential data. Unfortunately these rules do not apply to the storage, use and transmission of email addresses and people’s names.
46 states in the US have data breach notification laws that address when personally identifiable information (PII) is breached. Again, this does not cover email addresses and people’s names. It focuses on social security numbers, financial information, health data and other unique data that a criminal could use to steal money or identity. I think the Epsilon breach constitutes the same type of information. My email address tied to my bank is serious.
The scary part of this is that a simple technique could have avoided the problem. By encrypting the email list, this whole story would have been a yawn. I assume the list was in a database, but it could also be in a spreadsheet or other document. I’ve seen from the BP and Saint Francis incidents, that a lot of customer lists are kept in spreadsheets. Using enterprise digital rights management on the file would prevent unauthorized people from using the information. Epsilon could have flipped a kill switch on the file and the data is just random characters. No harm, no foul.
If you use any third party for billing, payroll, email marketing, or other financial services, make sure their data security measures are as strict as your own. If you send information to an outside printer, you may have the same issue. It’s critical that you protect and control your customer data no matter where it is or who has it. Your information is your business. Any compromise gives you a black eye.
Just like in the NCAA tournament, you need to worry about your opponent as much as you worry about yourself. Make sure your friends and partners are as concerned about that opponent as you are when it comes to your data security.
Photo credit krissal4300