Former Epsilon CEO likens massive email breach to shopping mall master key
The list of victims in last week's security breach at email marketing firm Epsilon Interactive continues to grow, expanding to as many as 50 companies and exposing thousands -perhaps even millions- of customers' names and email addresses to potential spammers and phishing scammers.
Email marketing expert and CEO of Zeta Interactive, Al DiGuido served as CEO for Epsilon Interactive from 2001-2007. On Friday, he gave us his insight into what possibly went wrong at Epsilon and what could have been done to prevent the breach.
"The talk of spearfishing attacks and such is all just conjecture," DiGuido began. "I know Epsilon to be very ethical and very professional, and very, very focused in terms of data security. I know they're turning over every stone to try and find out how someone could have gotten through to access their data. It's clear that unauthorized entry into a shared area is what led to the firewalls between companies being compromised."
"I'd say it was kind of like getting a key to a shopping mall, and when you unlocked that first door and walked inside, all the stores which were supposed to be locked themselves, weren't," DiGuido said.
It's a crystal clear analogy, an unauthorized party gained access to a shared environment, and the walls between the data fields for each company inside were compromised.
Fortunately, third-party email service providers rarely ever have any personally identifiable information in their databases, so a compromise of this nature can only open the door to social engineering attacks, and not directly expose sensitive user data.
"Marketers capture marketing information: whether you opened a mail, whether you clicked on something, whether you transacted," DiGuido said. "At no time is there ever a co-mingling of personally identifiable information with marketing information. Social Security information, credit card information, and such will never be in the same database as marketing information. In the few cases where the same company hosts all customer information, it's always highly encrypted, making PII undecipherable to the provider or to anyone else who's trying to intrude."
The real horror of this compromise is its scale, and the fact that a single entry could give an attacker such a huge list of potential phishing victims. DiGuido says companies that want to really protect their data from this sort of occurrence do have options, though.
"To prevent this from happening, we advise customers to set up dedicated environments. Let's say Betanews is a customer, we set you up in a dedicated sending environment, it's going to be your server, your instance of the platform, and your database. You will not share it with anyone. It will just be yours," DiGuido said on Friday. "What we do then is set up dedicated IP addresses, pathways to that data, that are assigned to you and your company and are only accessible by your company."
"There's never any foolproof system, but you're trying to set greater and greater barriers that the bad guys have to penetrate in order to get something done. So the dedicated email sending environments, we feel, is one of the best solutions today for a company who wants to prevent that kind of 'shopping mall' attack."