Epsilon data breach: What's the value of an email address?

Epsilon, an email marketing service provider, suffered a data breach last week and the apologies from its big-name customers keep belatedly pouring in. Target, Marriott, Chase and others are doing the email walk of shame.

For the record, Epsilon has nothing to add beyond its initial statement last week:

On March 30th, an incident was detected where a subset* of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

A spokeswoman said the investigation is continuing. However, two things are immediately clear:

• Whoever hacked into Epsilon landed a mother lode of email addresses. It’s a spam bonanza.
• Epsilon was dominant in its field. There’s a who’s who list of apologies in my inbox.

Take Target:

Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement. While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised.

Or Marriott:

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information.

Or Chase:

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure.

We’ll overlook the fact that these three big companies are just getting around to telling me my email address was compromised 5 days ago.

Symantec and McAfee say that details of the Epsilon breach remain sparse and that you should be on the lookout for an influx of spam. The bigger question is what’s an email address worth. Research has shown that the cost of data breaches continue to rise.

For instance, the Ponemon Institute found that the U.S. cost of a data breach was $214 per compromised record or $7.2 million per event. Indirect costs such as lost business, notification and legal defense.

So how will this turn out for Epsilon? Let’s look at a few key items:

• First, Epsilon didn’t lose personally identifiable information. Email addresses don’t carry the emotional baggage that a breach of your Social Security number would. You’re violated for sure, but it could be worse. Advantage Epsilon.
• Epsilon will lose business. A big part of Ponemon’s data breach cost estimate revolves around lost business. There’s no way that big customers will put all of their email marketing with one provider going forward. The reputation risk is too large. Related: Outsourcing email: Do the benefits outweigh the risks?
• Notification costs are a bit murky. It’s clear that Epsilon’s big customers are throwing the company under the bus. These notifications from the likes of Target are probably freebies. However, these customers don’t have to pay for free credit monitoring and don’t have to send snail mail notifications.

Add it up and it’s certain that Epsilon will lose customers and that will be the biggest cost. Epsilon will also have to pay more for forensics and audits. After that, the Epsilon data breach case is going to be informative. We may find out what a lost email address is worth.