It Must Have Been a Big Data Breach

Over the past few days I have received several e-mails from reputable companies indicating that their database marketing vendor experienced a breach. The messages are very similar, each one looking somewhat like the following:

Dear Customer:

We were notified by our database marketing vendor, Xxxxxx, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Xxxxxx that the files accessed did not include any customer financial information, and Xxxxxx has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

• Do not open e-mails from senders you do not know

• Do not share personal information via e-mail

Yyyyyy, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of “phishing” e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information.. If you receive such a request, it did not come from Yyyyyy, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at {e-mail address}.

As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.

Sincerely,

Yyyyyyy

Well,I have several thoughts about this. First of all, that first paragraph sure goes to extremes trying to place the blame on company Xxxxxx. I had never heard of this company, but I had heard of all the company Yyyyyys. And I blame the company Yyyyyys because they are the ones I entrusted my data to. I would feel a lot better if these companies did not seem to try to put the blame on their database marketing company — even if it was their fault.

Secondly, never click on a link an e-mail. Ever. It is just not worth it.

Finally, even though financial data was not breached, the cost of a data breach is not going to be insignificant. A recent study by the Ponemon Institute reports the cost of a data breach as ranging between $174 per record and $268 per record (depending on rapidity of response). The total cost of a data breach comprises many factors, including how much companies spend on detecting data losses, notifying victims, hiring forensic experts and paying for free credit checks for affected consumers. Perhaps the biggest contributor to the cost of a data breach is lost business.

How can you help to protect your organization against data breaches? Well, one thing you can do is invest in data acccess monitoring (or database auditing) software. Tracking the details of who is accessing data and what is done with the data can help to minimize data breaches. By knowing who is doing what to which data when, you can track data access patterns and quickly uncover unscrupulous activities… and put a stop to them before it is too late.

There are several good database auditing solutions on the market from vendors such as IBM (Guardium), Application Security, Imperva, and others.

Advertisements

About craig@craigsmullins.com

I'm a strategist, researcher, and consultant with nearly three decades of experience in all facets of database systems development.
This entry was posted in data breach. Bookmark the permalink.

One Response to It Must Have Been a Big Data Breach

  1. Ray Mullins says:

    No need to be shy – it’s an outfit called Epsilon, which handles emails for many large companies. I’ve received 5 emails so far.

    The scuttlebutt is that Epsilon was hacked and all their email databases were mined.

    You are right – company Yyyyyy is just as culpable as Epsilon. They decided to outsource a marketing function to a third party, and now they are finding that both the tangible and intangible costs will be worse than if they had kept their email marketing in-house.

    I’m sure that even as I write this, several lawyers are preparing lawsuits against Epsilon and their customers. It will be easy to prove that Epsilon acted recklessly in not having enough security, and enterprising lawyers will go after the customers with a not-acting-in-good-faith argument–and they have a good case.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s