I think we do need to be concerned about this breach for several reasons:
a) This incident points out the major risks involved in outsourcing even ‘seemingly low risk’ applications, such as email or word processing and highlights the even bigger risks in outsourcing more sensitive applications, such as authentication. Companies need to think twice or even three times before going down this path.
b) We don’t have standards and enforcement around them for protection of PII (personally identifiable information) data like we do around payment card data, where PCI standards apply. Here we are almost 7 years after the October 2004 ChoicePoint breach, and are there any rules that proactively protect against this type of breach? There is no private sector constituency that owns PII data, like there is when it comes to protecting payment card data, i.e. the banks and card companies, who brought us PCI. This is an area where more government guidelines and rules are increasingly needed, in my opinion.
c) Finally, we should be very concerned about this data breach, even if it does not appear on the surface that highly sensitive data were stolen. The criminals are definitely trending towards targeted attacks, and they often start with targeted spear-phishing emails. Let’s say they are after a government employee at a certain agency, so that they can infiltrate our nation’s systems. They could conceivably use the stolen Epsilon information to figure out where that employee has interacted, for example which retailers’ mailing lists he is on, or which newsletters he subscribes to, or where he banks, and use that information to send a very well crafted email to the employee that contains a payload of malware, which once downloaded can help the criminals find their way into sensitive government files.
So this is not an incident to take lightly. It raises all kinds of issues, as noted above. We’ve seen a couple very highly visible examples of targeted spear-phishing attacks, the most recent one being the attack against RSA’s SecurID application. Project Aurora against Google and others also reportedly started with spear-phishing. A little seemingly innocuous and harmless email can lead to all sorts of really big problems.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.