Last week multi-channel marketing service provider Epsilon suffered a breach. By now it’s highly likely that you received an email from a company you do business with explaining that your name and/or email address was acquired because of this breach. Why am I so confident that you received such an email? Because Epsilon was a major email provider service whose affected customers include:
- Capital One
- Best Buy
On one hand, you might look at what was acquired and think – not a big deal. Someone getting my name and email address will just increase my spam. But because of the breadth of companies that Epsilon served, it is possible your name appeared in more than one list. I think this could help spear phishers sharpen their attacks.
It is interesting to note that some of the affected enterprise specifically name Epsilon while others simply refer to Epsilon as their email service provider. The companies naming Epsilon outright are trying to get further ahead of the blame game. The thought process is that a breach by my partner is my breach to clean up – at least from a reputation perspective. By naming Epsilon, these companies are trying to duck the reputation damage.
When the dust settles it will be mildly interesting to see how Epsilon was breached. What will be more interesting to see what enterprises ask of Epsilon in terms of certifications and audits. With the coming SOC 2 and 3 reports, replacing the ill-used SAS 70, companies might gain meaningful insight into a service provider’s operational controls. I’m not saying that having a SOC 3 report in place would have avoid these troubles, but it is becoming harder and harder to avoid partner mistakes and accidents, and enterprises need all the help they can get.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.