Reports that Epsilon, the permission-based email marketing firm, has suffered a major data breach, could cause severe reputational damage for its clients.
Hackers appear to have downloaded a ‘subset’ of Epsilon’s database, potentially exposing the contact details for customers of several high-profile brands to phishing attacks and spam.
The reasons for the breach have yet to emerge, but I think it is also interesting to see that The Register has reported an invalid security certificate on the Epsilon Web site over the weekend, noting that the marketing firm’s client list includes AbeBooks, a major bookseller; Lacoste, the luxury sports goods firm; Marriott, the hotel chain, and several other major US companies.
The two incidents may not be linked but an out of date encryption key just makes their security situation worse. The company has issued a terse one paragraph press statement about the main data incursion, but the primary issue here is that the email details relate to people who have opted into one or more of the company’s emails, meaning that cybercriminals can now profile these users a lot more precisely than if they had simply rented a spam emailing database.
The problem now is that the clients of Epsilon must notify those Internet users whose details have been compromised. Impacted users will likely be less well disposed to the companies concerned. The reputational impact and damage on their brand could be significant. Recovering from such public breaches is difficult.
Let’s put that simply: if your favourite supermarket chain admitted that your opt-in details had been lost, you probably wouldn’t feel good about it. You might even switch your loyalty for the goods or services concerned to another brand.
And that is the root problem that clients of Epsilon now face: a crisis of trust that will almost certainly result in reputational damage for the companies concerned.
This is the stuff of which corporate lawsuits are made of, and the fact that all the parties concerned are based in the US – one of the most litigious countries in the world – means that lawyers will now almost certainly be rubbing their hands with glee.
The fall-out from this database hack, however it was caused, is going to be interesting. The saga is hopefully going to act as a wake-up call to IT security professionals about the need to better secure their data, using a mixture of encryption, proper key management and authorised access to the databases they keep.
It also calls into question the increasingly popular trend towards outsourcing customer data to third party and specialist marketing firms, since this incident will probably trigger a rash of consequential data privacy amendments to the contracts of these firms. This will almost certainly result in more complex service level agreements for these types of services.
This case, though relatively simple on the face of it, could have profound repercussions for the marketing industry and the security of client information.