The Epsilon database breach wasn’t anything exceptional, but I thought I’d use it as a case study to make a few points. If the press releases are to be believed, the data stolen consists only of names and email addresses of around 55 high-profile companies’ customers. That’s apparently just a fraction of the 2,500 companies who have dealings with Epsilon, which is actually a subsidiary of Alliance Data Systems (something the media isn’t reporting). If a former Citibank infosec person is anything to go by, there’s a strong possibility more information could have been stolen. More than a few commenters on the CNET Insecurity Complwx blog reported their credit card details were compromised around March 30th 2011, which may have been related.
But for the most part, there’s just been the increase in unsolicited mail. As one person commented at eWeek.com: ‘I have been contacted from 4 different companies stating that someone hacked into there system, but not to worry they only have my email, address, phone number. I now have more spam mail and have to unplug my phone at night, due to the high volume of marketing calls.’
A Bad Idea
Maintaining a database that hundreds of people need to access in real time involves guarding it against insider and network-based threats. As these must be constantly accessible, security depends on access control and establishing its exact purpose – getting a perfect balance between confidentiality and availability – instead of encryption. We must also question whether a database should be created in the first place, and if so, the scope of the data and whether it should be on a closed network separate from the wider Internet. When databases are high-profile and accessible through the Internet, they’re certain to get hacked eventually and inevitably. This is why something like the National Identity Register being pushed by the Labour government in 2006 was such an idiotic and dangerous idea. My point here is that databases often cause more problems than they solve.
Unfortunately, the very people who insist on collecting all this information on us, whether overpaid spammers like Epsilon executives or Labour ministers, are full of marketing speak and very little understanding of the above. They’re certainly not qualified to put everyone at risk.
Epsilon and the many other marketing firms of that kind don’t need to worry about security, because our personal information is a commodity traded between companies we’ve never even heard of. We’re not the consumers in this context. The occasional lawyer fees cost less than hiring security professionals, and it’s extremely unlikely there’ll be a mass boycott of Epsilon’s client businesses. Alliance Data Systems could easily set up another subsidiary just like Epsilon and continue where they left off in sending their 40 billion spam emails per year, should the worst happen.
But most people will find it hard to distinguish a well-written fake from a legitimate advertising email, and that’s going to seriously limit the ability of Epsilon’s clients to market their stuff this way.