Gartner Blog Network


Am I my brother’s breacher?

by Ian Glazer  |  April 4, 2011  |  3 Comments

Last week multi-channel marketing service provider Epsilon suffered a breach. By now it’s highly likely that you received an email from a company you do business with explaining that your name and/or email address was acquired because of this breach. Why am I so confident that you received such an email? Because Epsilon was a major email provider service whose affected customers include:

  • Chase
  • Capital One
  • Tivo
  • Hilton
  • Best Buy

On one hand, you might look at what was acquired and think – not a big deal. Someone getting my name and email address will just increase my spam. But because of the breadth of companies that Epsilon served, it is possible your name appeared in more than one list. I think this could help spear phishers sharpen their attacks.

It is interesting to note that some of the affected enterprise specifically name Epsilon while others simply refer to Epsilon as their email service provider. The companies naming Epsilon outright are trying to get further ahead of the blame game. The thought process is that a breach by my partner is my breach to clean up – at least from a reputation perspective. By naming Epsilon, these companies are trying to duck the reputation damage.

When the dust settles it will be mildly interesting to see how Epsilon was breached. What will be more interesting to see what enterprises ask of Epsilon in terms of certifications and audits. With the coming SOC 2 and 3 reports, replacing the ill-used SAS 70, companies might gain meaningful insight into a service provider’s operational controls. I’m not saying that having a SOC 3 report in place would have avoid these troubles, but it is becoming harder and harder to avoid partner mistakes and accidents, and enterprises need all the help they can get.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: privacy  

Tags: breach  epsilon  sas70  

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio


Thoughts on Am I my brother’s breacher?


  1. Tidua says:

    How can you say that seeing what certification/audit decisions the company makes going forward is more interesting than the attack itself?

    For your edification, SAS 70 audits and SOC reports are performed by CPA firms for various purposes, but they definitely are not designed to detect or prevent theft or hacks. Furthermore, they all opine on a point in time, or a period of time, which is ALWAYS in the past. The reports specifically state that users should not project the findings to future periods, which is presumably when this event happened.

    Of course, if I’m wrong, I guess we should see the demand for SOC 2 examinations and SOC 3 certifications sky rocket…b/c those assessments somehow ensure companies aren’t vulnerable to attacks??? We should all pray that the IT world doesn’t really believe CPA firms are the answer.

  2. Ian Glazer says:

    The reason why I think seeing what enterprises ask for in terms of audits and certification is that it will indicate the kinds of controls that companies will want to see in place before doing business with a service provider. Today a SAS 70 is a poor way of gaining meaningful visibility into the active controls (and their efficacy) a service provider uses, but unfortunately it is one of the few tools enterprises have at their disposal. The SAS 70 was never truly meant to be used the way it has been and thus the hope is that the SOC reports will be a better tool for the job. Certainly a certification is no magic charm that imbues invulnerability to the holder, but with direct access to audit a service provider (not to mention the capability to perform such an audit) certifications are one of the things (good, bad, or indifferent) that enterprises use in their evaluations of potentials partners. This is a topic I explored in greater depth in my report Partnering via Privacy: Healthcare as Exemplar.

  3. Tidua says:

    It’s still strange to me that you would focus on a report that is designed to opine on controls that are relevant to the financial reporting of customers of an organization…versus security. SAS 70 is perfectly designed for those purposes, but not so much for other purposes.

    Your statements about SOC 2 and SOC 3 indicate that you may not fully understand them. SOC 3 has existed for quite a while and is simply being re-branded. Market adoption of SysTrust (aka SOC 3) is not widespread. SOC 2 is little more than SOC 1 without an ICFR focus. If you don’t care for SAS 70 for these purposes, prepare to be disappointed by SOC 2.

    BTW, per the BSi certificate directory, Epsilon carries ISO 27001 certification at three facilities. Wouldn’t you consider that to be far more relevant to this situation than an accounting report?

    http://www.bsigroup.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search-Results/?pg=1&licencenumber=IS+500222&searchkey=standardXeqXISO/IEC%2027001XandXcompanyXeqXepsilon



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.