Gartner Blog Network

What are the dangers with the Epsilon breach?

by Avivah Litan  |  April 4, 2011  |  2 Comments

I think we do need to be concerned about this breach for several reasons:

a) This incident points out the major risks involved in outsourcing even ‘seemingly low risk’ applications, such as email or word processing and highlights the even bigger risks in outsourcing more sensitive applications, such as authentication. Companies need to think twice or even three times before going down this path.

b) We don’t have standards and enforcement around them for protection of PII (personally identifiable information) data like we do around payment card data, where PCI standards apply. Here we are almost 7 years after the October 2004 ChoicePoint breach, and are there any rules that proactively protect against this type of breach? There is no private sector constituency that owns PII data, like there is when it comes to protecting payment card data, i.e. the banks and card companies, who brought us PCI. This is an area where more government guidelines and rules are increasingly needed, in my opinion.

c) Finally, we should be very concerned about this data breach, even if it does not appear on the surface that highly sensitive data were stolen. The criminals are definitely trending towards targeted attacks, and they often start with targeted spear-phishing emails. Let’s say they are after a government employee at a certain agency, so that they can infiltrate our nation’s systems. They could conceivably use the stolen Epsilon information to figure out where that employee has interacted, for example which retailers’ mailing lists he is on, or which newsletters he subscribes to, or where he banks, and use that information to send a very well crafted email to the employee that contains a payload of malware, which once downloaded can help the criminals find their way into sensitive government files.

So this is not an incident to take lightly. It raises all kinds of issues, as noted above. We’ve seen a couple very highly visible examples of targeted spear-phishing attacks, the most recent one being the attack against RSA’s SecurID application. Project Aurora against Google and others also reportedly started with spear-phishing. A little seemingly innocuous and harmless email can lead to all sorts of really big problems.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on What are the dangers with the Epsilon breach?

  1. Bob says:

    This is a bit of an overreaction, as there is not yet an indication of spear phihing attacks. They might well happen but to judge this event on what might happen is premature. We need to wait awhile to see how this event unfolds. Security professionals need to create a sound sense of events and alert people properly, not create a sense of panic.

  2. Peter S. says:

    I received breach alert emails from several companies including Chase and Citi, I’m concerned about it and agree with Avivah about the risk involved.

    This breach is massive as it affects tens of millions of victims with their financial institutions and online retailers association. Weak passwords of these victims is yet another vulnerability that is now exposed. Hackers must have targeted Epsilon with a plan, and now they must be executing the plan.

    Bob, you maybe the only person who is not concerned about this massive incident. I hope you are not an Epsilon insider.

    We victims deserve to know the details, timing and magnitude of this breach esp. after receiving breach notifications from several companies. Epsilon so far is giving only marketing spins – calling it “only 2%” is a baloney when some of these companies involve tens of millions of customers. Epsilon should come forward to the public with all the details gracefully. Otherwise, the situation would only get worse and they would be forced to do it with humiliation.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.