Like me, maybe you have received a notice in the last few days from one of many institutions that were affected by a major data breach of Epsilon, an online marketing firm. So far, we are told, mostly e-mail addresses were compromised, but in some cases so were customer names. You might not think this sounds terribly alarming, unlike, say, the T.J. Maxx episode in 2007 that included the loss of 45 million debit and credit card numbers. But you would be wrong
In the T.J. Maxx scenario, only the reputation and brand of T.J. Maxx was impacted. In this case, Epsilon is the service provider to a significant list of top-tier financial institutions including Barclays Bank, U.S. Bancorp, Walt Disney, Marriott, Ritz-Carlton, Best Buy, L. L. Bean, Home Shopping Network, TiVo and Target. The ongoing concern is that customers of these institutions can now be specifically targeted for fraudulent e-mail threats know as ‘spear phishing.’ (Though notice of the breach was sent to me by e-mail, oddly enough
In the T.J. Maxx case, the credit cards and debit cards were quickly canceled and replaced by the issuers (Visa, Mastercard, etc.). And in most cases these days, unlike in the recent past, the customer is not even responsible for the first $50 of fraudulent charges (Bank of America tells me that I will not be responsible for any fraudulent charges!). This lack of material and financial impact on a customer of T.J. Maxx helps explain why after their breach, not only did the sales of the company continue as before, but their stock price suffered no long-term ill effect. Average customers liked what the stores offered in terms of fashions and prices and disassociated the breach itself from the stores and the merchandise.
In the Epsilon case, however, I fear the result will be much more disastrous for them. The publicity around this episode alone is more significant than most other ones like it. Rush Limbaugh actually used the Epsilon example today to sell one of the identity theft products he touts on his show. The actual service offered by Epsilon can easily be replaced, but the untarnished reputation of the brand whose customer falls prey to a fraudulent e-mail cannot so easily be restored. If my identity is stolen after I click on a fake e-mail from my bank, I am going to remember and negatively associate the experience with the bank, not the e-mail marketing vendor who didn’t encrypt my e-mail address and name in their database.
We are not sure yet just how lax Epsilon was in their security controls that led to this incident. Whether or not they were as lax as T.J. Maxx was, will be uncovered in brutal detail in the process over the next few weeks, especially in the security world. Security folks will be using this very case as a way to reiterate the internal message of due care and the need for this or that software or hardware to help protect their own shop from suffering a similar fate.
This unfortunate series of events highlights the kind of brand and reputation risk a firm can suffer when outsourcing even the most seemingly innocuous service. Proper vendor management and due diligence of service providers will be the talk of the town over the next couple of months. Your clients will be asking what and how you do it in your shop, without a doubt. So be ready with a solid response.