The End of Digital Innocence: What Does the Epsilon Breach Mean?

Epsilon_SigEp_NV_Alpha_03_CCFlickr Spot Quiz: What does the word epsilon mean to you? It is the fifth letter of the Greek alphabet. As I recall, in its lowercase form, epsilon stands for elasticity, among economists. There might even be a fictional spy named Epsilon.

I’ll bet that up until a few days ago you didn’t know that Epsilon was also the name of a company that has exposed millions of Americans (including you, most likely) to the increased risk of imposter fraud, a crime that made it to the Federal Trade Commission’s top ten complaints list this year for the first time. Epsilon is a unit of Alliance Data that collects consumer information from hundreds of corporate clients to manage their email marketing campaigns.

On April 1st, Epsilon posted a terse announcement on its corporate website, which set off a media frenzy and confirmed, yet again, the end of the Age of Digital Innocence:

IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Apparently, an unknown cyber ninja (or coven of ninjas) had efficiently and maliciously gained unauthorized access to the Epsilon system and caused, according to Michael Kleeman, a network security expert at the University of California, San Diego, a “massive hemorrhage” of what has heretofore been considered non-personal identifying information, yet now is viewed by a growing number of privacy experts as the Social Security Number in the Digital Age—the email address combined with a name. In other words, the data that consumers provided to many large companies, such as J.P. Morgan Chase, Citibank, Kroger, Target, Best Buy, Disney Destinations and Verizon, could now be in the hands of guys we would never want to friend on Facebook.

If you didn’t know anything more than that, it would be horrifying enough. After all, despite thousands of privacy policy disclosures and enormous media attention, most folks don’t know (or don’t want to know) that information provided to trusted financial institutions, service providers or retail stores is shared with other companies. Again, I’ll bet most Americans didn’t know that there even was a company called Epsilon. But worst of all, we still don’t know, even now, how much information Epsilon really has, or which information was truly hacked. It was publicly announced that, not to worry, only email addresses were stolen. I received several frantic emails from banks with which I have relationships assuring me that only my email address was no longer secure.

Let’s make the salutary (and perhaps facile) assumption that the press releases and email alerts are accurate. So all the bad guys have is our email addresses and our names, right? No biggie, right? Well, not exactly. The problem is that our email addresses are also our user IDs on many websites. Few people are willing to change their email addresses, because too many other people would have to be notified. So in my case, I will have to strengthen my already strong passwords—again.

Heck, it’s gotten so complicated that my current password contains several letters (some upper-, some lowercase), a few numbers, and symbols I have inserted in the place of letters (and forget about the punctuation marks I must now liberally sprinkle throughout). It seems like no password—even those reminiscent of chemical compounds—is enough anymore. (To say nothing about the “secret questions” many sites rely upon in lieu of forgotten passwords. In the Facebook age, it’s not difficult to figure out someone’s high school or mother’s maiden name, so users should establish answers to these as secondary passwords or responses completely unrelated to the question prompt.)

A Focused Attack (cont.) »

Image: SigEp NV Alpha ’03, via Flickr.com