Implications for customers
"The problem in the Epsilon case is that there are two lots of customers affected," said Paul Ducklin, head of technology, Asia Pacific, Sophos. "Firstly, there are Epsilon's customers - which includes a growing list of major companies. Our own readers have sent in "warning emails" from a dizzying array of affected companies, apparently including: Walgreens, 1800Flowers.com, Air Miles, Target, Lacoste, AbeBooks, McKinsey Quarterly, Brookstone, Disney, American Express, Best Buy, and more. They are now faced with a security embarrassment created by a third party."
"Secondly, there are the customers of all Epsilon's customers - the people whose email addresses have been lost."
"So there are two lots of advice. To the end-users - the customers of Epsilon's customers - the risk is, fortunately, fairly low. Email addresses are usually widely known anyway. But users whose addresses have been compromised need to be vigilant, because they might receive increased levels of spam, and that spam might be better targeted than usual."
"Losing your email address to scammers and spammers is likely to mean a surge in spam to your account. And losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely. That, in turn, can make their fraudulent correspondence seem more believable."
"To the direct customers of Epsilon - Walgreens, Air Miles, Lacoste and others - the questions are tougher. One: do you still trust the company to handle your email? Two: how will you regain the trust of your own customers?"
"Outsourcing and the cloud are buzzwords of the 2010s - their many evangelists will assure you that cloud-sourcing your high-volume internet services is certain to save you money, improve your up-time, and boost your security. After all, if you leave a job such as direct marketing (or email, or office automation, or authentication) entirely to the specialists, you're bound to have experts on the job who are at least as switched on about security as you are. Perhaps. But sometimes, keeping your own skills and abilities factored in to your organisation's security equation can pay off."
"Bear in mind that a growing number of experts, including MySQL and Sun, RSA, Comodo and Facebook, have recently shown that they don't know everything about security, after all. Maybe _they_ should be learning from _you_?"
"If you keep data about other people - even if it's just email addresses, you owe it to those people to protect their information Even if you're the sort of organisation which is willing to take risks with your own data - sales forecasts, trade secrets, and that sort of thing - you have a clear moral duty not to take risks with data you keep about other people."
Sign up for CIO Asia eNewsletters.