Epsilon, an email marketing service provider, suffered a data breach last week and the apologies from its big-name customers keep belatedly pouring in. Target, Marriott, Chase and others are doing the email walk of shame.initial statement last week:
On March 30th, an incident was detected where a subset* of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.
A spokeswoman said the investigation is continuing. However, two things are immediately clear:
Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement. While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised.
We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon's accounts including Marriott's email list.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information.
Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure.
We'll overlook the fact that these three big companies are just getting around to telling me my email address was compromised 5 days ago.
Symantec and McAfee say that details of the Epsilon breach remain sparse and that you should be on the lookout for an influx of spam. The bigger question is what's an email address worth. Research has shown that the cost of data breaches continue to rise.
For instance, the Ponemon Institute found that the U.S. cost of a data breach was $214 per compromised record or $7.2 million per event. Indirect costs such as lost business, notification and legal defense.
So how will this turn out for Epsilon? Let's look at a few key items:
Add it up and it's certain that Epsilon will lose customers and that will be the biggest cost. Epsilon will also have to pay more for forensics and audits. After that, the Epsilon data breach case is going to be informative. We may find out what a lost email address is worth.