Epsilon: Exposing the Weakest Link

For years, the buzz phrase in cybersecurity has been that a network is only as strong as its weakest link. In the last two days, I have received email alerts from six companies that I've shopped or otherwise done business with online telling me of a data breach and warning me that my email may have been compromised.

All six companies apparently were using the online email marketing firm Epsilon, a division of Alliance Data Systems Corp., whose networks were hacked last week. The intruder gained access to an unknown number of email addresses and names from some of Epsilon's 2,500 clients. The extent of theft is unknown but may be one of the largest unauthorized intrusions in history, as Epsilon sends more than 40 billion email ads and offers annually.

The increasing use of a third-party company to handle personal information raises questions about how we eliminate the weakest links and the cascading effects that can occur if such a company's systems are compromised. When conducting ourselves online, sharing information with known and trusted entities may mean little if those entities, in turn, are using outside services to store and communicate with us (with or without our knowledge).

While companies such as Epsilon may have strong security practices, they are still vulnerable to attack and are attractive targets as hackers can, in effect, one-stop shop for data and information. In Epsilon's case, sensitive information was allegedly not accessed. But what if it had been?

For now, the biggest worry coming out of the incident is concern among affected companies that their customers will see an increased number of spam attacks. As one of the emails I received this morning noted, I should follow these tips:

  • Don't provide sensitive information through email. Regular email is not a secure method to transmit personal information.
  • Don't provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email.
  • Don't open emails from senders you don't know.

It is very likely that some individuals affected by the compromise will not follow these tips. As a result, the weakest link potentially could become thousands of weakest links as unwitting consumers fall victim to "phishing" email scams related to the data breach.

From a privacy perspective, there is another concern that may not be on the radar of any of the individual businesses affected but potentially could be worrisome to many consumers. Specifically, what type of information about a consumer's habits can the hackers glean from an email address? If the compromised information is listed by multiple companies, could a hacker assess consumers' patterns? Would that give said hacker the capability to conduct more sophisticated "phishing" scams or other potential illegal activity -- just from capturing the lists to which one belongs?

In the early days of hacking, many culprits succeeded not through sophisticated technological attacks but through social engineering. Could the Epsilon breach open up a new era of social engineering, which uses victim's behavioral patterns as its basis? A hacker version of behavioral advertising? We will see as more details become public about the Epsilon attack.