On March 30, the email marketing company Epsilon was hacked. It's too soon to tell how widespread the exposure is. Right now, Epsilon has said that the customer lists of a number of major brands have been compromised.
Epsilon claims that no personal information other than names and email addresses were revealed. Being a naturally suspicious person, I think I would rather wait for the other shoe to drop before breathing a sigh of relief--as well as keeping an eye out for targeted phishing scams.
I just received an email from Tivo:
Dear TiVo Customer,
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.
Sincerely, The TiVo Team
I think it's great that the companies whose marketing lists were hit notified their customers. However, this is April 2, and the intrusion at Epsilon happened 3 days ago. In internet time, that's pretty much a lifetime. Stolen information could have circled the globe a dozen times by that point. Epsilon themselves took 2 days to put out the press release; perhaps they notified the customers earlier, but it's a moot point.
This situation points out a glaring fault in the outsourcing of your email marketing to a third party company. Putting aside for a moment that there are plenty of email marketing firms out there that don't play nice or by the rules (i.e., spammers), there's also the issue of corporate security and responsibility.
When something like this happens, people usually get fired. But if your company outsources the email to a third-party, does your company make someone internally a scapegoat and fire them, even though the intrusion didn't happen on your own network? Do you take it out on the people that chose to outsource? Or on the ones responsible for choosing that specific email provider.
Obviously, after a situation like this heads do roll. And quite often it's through no fault of your internal employees or the external marketing company. Sometimes you just can't stop a dedicated, persistent hacker.
If the marketing company did their due diligence and secured their network as well as possible, you can't blame them--unless, of course, your contract with them states that they owe you damages if they are unable to keep your information secure.
If you don't want to hear excused about shifted blame, take the responsibility for your own data and host the email within your company. It's not that hard to host your own mailing lists. And it doesn't take as many resources as you might think. Applications like ListServ and Majordomo have been around for years and can handle millions of messages per day.
Maybe it's time for big companies with large IT departments to rethink outsourcing some of their critical customer data and bring it back in house. At least then if you get compromised you can blame yourself, instead of worrying about your data being handled by strangers.