The following text is copyright 2011 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Epsilon breach: when should almost public info be private?
By: Scott Bradner
A press feeding frenzy followed the, somewhat vague, April Fools Day announcement (http://www.epsilon.com/News & Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3) by Epsilon Data Management that someone had hacked into their systems and stolen a bunch of email addresses. The email addresses were of people who had "opted in" for email marketing by a bunch of major vendors. Many of the vendors sent announcements of the breach to their own customers. (I got such an announcement from a vendor I had purchased a present for my wife from - the announcement did not say all that much, essentially it told me to "be careful".) Was this an important breach? What should you do to if you have amassed a pile of such information?
We did not find out all that much about the Epsilon Data Management breach from the first press release (other than to say that they did not quite live up to the promise of their corporate name, at least that is not how I expect their customers expected them to manage the data). And the second press release did not add much actual data. (http://www.epsilon.com/News & Events/Press_Releases_2011/Alliance_Data_Provides_Statement_Surrounding_Unauthorized_Entry_Incident_at_Epsilon_Subsidiary/p1061-l3) It seems to me that it would be better for Epsilon to be more forthcoming as to the scale of the breach and other details. (http://www.networkworld.com/columnists/2011/032811bradner.html)
It might be fun to try to figure out why the press found this breach so interesting. (This publication had 10 articles on it and Google news picks up over 3000.) By any objective measure, loss of a bunch of email addresses pales in comparison to what else has been going on - for example the breach at Ohio State University that may have exposed 760,000 names and social security numbers of current and former Ohio State "faculty, students and staff as well as applicants and other individuals who have been associated with the university." (http://www.osu.edu/creditsafety/) The Ohio State breach seems to have gone unnoticed by most technical publications.
The biggest threat from the Epsilon breach to those whose email addresses were stolen is that you may receive better-targeted phishing attempts. RSA's description of how their recent breach happened does show that the risks of phishing attacks can be quite real. (http://blogs.rsa.com/rivner/anatomy-of-an-attack/) But the risk with exposing email addresses will always be far less than with exposed SSNs since so many institutions, such as banks, think that anyone with the knowledge of your name and SSN must be you - a stunningly stupid, and common, assumption.
But there clearly is a lesson that enterprises should learn from the Epsilon situation - any enterprise that stores any significant amount of information that some part of the public might consider to be, to some degree, private needs to actually protect that information from theft. One example of a reasonable best practice for protecting private information on such protection is the Payment Card Industry's Data Security Standards. (PCI DSS) (https://www.pcisecuritystandards.org/security_standards/)
There is a lot in the PCI DSS that might be overkill if you are only protecting a database full of names and email addresses but the basic system architecture makes a lot of sense. For example, you should not store any confidential information on any web server - ever. If you do need to store confidential data, the data should be stored on a backend database with a firewall between the database and any web server, and between the database and any enterprise users.
Such protections do not always prevent hackers from being successful but they do make things harder for the hacker and give you a better story to tell if you do get hacked.
disclaimer: Harvard has classes on how to tell stories (e.g., www.hks.harvard.edu/syllabus/2011/947/MLD-355M.pdf) but I have not taken that class or asked the instructors about the above story so it must be my own.