Epsilon's epic fail: The numbers don't add up

We're beginning to see the fallout from the security breach of Epsilon's email, and something about the data doesn't smell right

If you haven't yet received an email message from a major company, warning that your email address may have been compromised, you will.

The bad news in the aftermath of the Epsilon data breach just keeps rolling in. Here's where we stand -- and what your users need to know.

On April 1, online marketing firm Epsilon Data Management -- InfoWorld curmudgeon-in-residence Robert X. Cringely calls them "spammers in expensive suits" -- sent out a press release saying that "a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

On April 4, Epsilon updated the press release, adding this puzzling footnote: "The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services." I'll talk about that in a moment.

That's the full extent of all the information that Epsilon has released. It isn't clear who took the data. It isn't even clear how Epsilon found out the data was missing.

Epsilon's a big company: Its website says it has 2,200 employees and 2,500 clients, "including 7 of the Fortune 10 who trust Epsilon to build and host their customer databases." It claims to send more than 40 billion emails annually.

We're still in the dark about exactly what data was stolen. St. Louis-based Scottrade -- one of Epsilon's breached clients -- told the St. Louis Business Journal: "An unauthorized person outside of their company accessed records that included names and email addresses of some Scottrade customers and others who have previously provided us with their contact information. Epsilon has advised us that the files accessed did not contain any account or other information."

Security researcher Brian Krebs is compiling a list of companies that have notified their customers about the Epsilon breach. That list includes one of the aforementioned Fortune 10: JPMorgan Chase. Krebs lists more than 50 companies, including Ameriprise, Barclays, Capital One, Chase, Citibank, Moneygram, TD Ameritrade, TIAA-CREF, U.S. Bank, and WFN National Bank in the financial arena, as well as many other well-known brands such as Best Buy, Brookstone, The College Board, Dillons, Disney Vacations, Hilton, Marriott International, Eddie Bauer, Fred Meye, Fry's, Kroger, L.L. Bean, Marks & Spencer, Ralphs (a Kroger brand), Target, and Walgreens.

But that isn't the whole list. Consumers who have received notices from other companies are responding to Krebs's list and adding new companies. I, personally, have received Epsilon warning emails from Scottrade and Marriott International, and neither of those are on Brian's list.

The numbers don't add up. Epsilon's footnote would lead you to believe that data from 2 percent of Epsilon's customers had been pilfered -- but 2 percent of 2,500 is considerably fewer than the number of companies already identified with Krebs's grassroots approach. The total number of stolen email addresses must be astronomical.

There's something else that doesn't smell right. Epsilon said, "The information that was obtained was limited to email addresses and/or customer names only." Yet Scottrade hints that noncustomers -- "others who have previously provided us with their contact information" -- are also included.

Epsilon is also mum on the question of whether the stolen data could be associated with a specific Epsilon customer. Having a list of 100,000 email addresses is one thing. Having a list of 100,000 valid email addresses from JPMorgan customers opens up an entirely different realm of possibilities.

That raises yet another question. If zillions of email addresses were stolen, and the thief or thieves can't tell which Epsilon customer they came from, what is Epsilon doing, sitting on a big pool of undifferentiated email addresses and names?

In a final bit of irony, those messages from Epsilon's customers, warning consumers that their email addresses had been compromised -- the messages from Citibank and Target and Eddie Bauer? It looks like all of them came from ... you guessed it, Epsilon. After all, the customers don't have their own mailing lists.

No doubt you've already advised your users about phishing a hundred times over. Now would be a good time to remind them.

This story, "Epsilon's epic fail: The numbers don't add up," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform