April 05, 2011

Did You Know All Your Emails Were In One Basket?

Prior to this weekend, most of your thoughts around the word Epsilon were probably about Greek fraternities or toga parties, but headlines in the tech and security world over the last few days have us instead associating Epsilon with a company most of probably never heard of before - a massive email marketing company used by many top brands. A major security breach seems to have escorted customer email lists from respected companies many of us interact with every day, and with the names piling up, I have to wonder if we had any idea that this centralization of our relationships with companies was happening, or if we are all the unlucky benefactors of outsourcing gone wrong.

The fun started late Saturday when I first got an email from TiVo saying my email address and first name had been exposed due to unauthorized access to their email service provider.

Of course, if you know me, that's no big deal. Everybody and every spider in the world knows my main email addresses are louisgray@mac.com and louisgray@gmail.com. Tough finding that out and combining it with my mysterious first name. You know I don't have too many issues around sharing my cell phone number either - this being a key focal point of a CNN.com article on the "death of privacy" back in December.

The String of Notification Emails

Modern anti-spam measures from both Apple and Google prevent most garbage from missing my in box. For more insidious emails, that fraudulently pretend to be something they are not, which is made possible from this breach, I am wary enough not to do anything foolish.

But, as many others soon found, the first notification of a breach was followed by a second, a third, a fourth, maybe more. The next two days saw more apologetic emails following the breach, from Best Buy, Hilton Hotels and Chase Bank, to name a few. The issue reminds me a bit of the Gawker hack in December that forced people to change their passwords everywhere, myself included. So now what's exposed is not just my email address and first name, but that many companies passed the buck by putting their customer lists in the hands of a single third party who wasn't prepared for such a responsibility.

(Of course, this single third party shrugged it off as impacting a 2 percent subset of their clients)

In the 8+ years I managed our company newsletter and mailing list, from 2001 to 2009, we used a variety of partners, including Responsys and GotMarketing. Later, we put our data into Salesforce.com, and never once suffered such a breach. But in the last few years, companies have gained the ability to self-manage one's database and marketing tools, and do so independent of other companies. There's no great reason that a single third party's mistake should open up the vault to such a bonanza of brands. What this specific failure does is expose that the type of multiple verification systems and complexity expected from us as consumers isn't followed quite as well at the very companies whom we trust to watch over our personal data.

I don't have any problem with putting my email address out there. I don't mind sharing my data with TiVo and Best Buy. I shrug at Hilton and have to trust Chase, or we're toast. But I have to think we're lucky this time that the type of data accessed was so relatively harmless. People are worried that this will lead to phishing attacks and later successful breaches that get more impactful information, but for now, it seems we'll be more annoyed than ever. But think about whether you knew that all of these companies were putting your data in one basket to be raided by one intelligent hacker...

Does knowing that all these brands stuck your data in one place make you feel less safe or more safe? I think we've got to have an alternative, and self-hosting with self-managed security is looking a lot smarter these days.