The Epsilon Breach: What Should You Do?
What should companies and consumers do to protect themselves from the email marketing provider breach?
Email marketing provider Epsilon is the latest in a string of high-profile data breaches that could leave consumers at risk.
At the end of last week Epsilon disclosed that a subset of its customer email data was exposed due to an unauthorized entry into its email system. According to Epsilon, only customer names and email addresses were taken.
"A rigorous assessment determined that no other personal identifiable information associated with those names was at risk," Epsilon noted in a letter to clients.
So far, Epsilon has not disclosed any additional details about the cause of the breach, though they note that a full investigation is underway. Though full details have not yet been revealed, there is already some high-level speculation about the root causes of the breach.
"Given what has been disclosed publicly we would certainly have to question what sort of monitoring Epsilon has in place, including monitoring that extends to identity and access management architectures as well as applications like Epsilon's email application," Tom Turner, senior vice president, Marketing and Channels at security vendor Q1 Labs, told InternetNews.com.
Turner noted that the Epsilon breach is another example of the more sophisticated threats and breaches that are occurring with regularity across industries.
"In many ways we are now paying for the historical "check box" approach to compliance logging and security monitoring rather than focusing on advanced security intelligence," Turner said.
Security vulnerability assessment vendor Rapid7 also has tools and technologies designed to help enterprises mitigate risks. Marcus Carey, Enterprise Security Community Manager at Rapid7 told InternetNews.com, that in his view. many companies are trying their best to defend their assets.
"There are so many attack vectors that attackers can use, so it's impossible to cover all bases," Carey said. "The attacker only has to be right one time to win, where organizations have to be right on hundreds of potential vulnerabilities."
Carey suggests that organizations should develop efficient incident response capabilities in recognize and respond quickly to these breaches. Additionally, companies should continue to improve their security operations capabilities to allow them to spot suspicious activity.
"They need to keep their lawn cut low to spot snakes," Carey said.
For consumers, education remains the best mitigation to helping to defend against the threat that may come as a result of the Epsilon email breach. In general, Carey noted that people need to scrutinize emails or social network applications even if they know who it appears to be from.
"Users need to understand there could be a con-man on the other end of any communication," Carey said. "Users should employ the old trust, but verify method."
One way that users can use to verify an email is by entering the domain into their browser manually instead of simply clicking a link in an email.
"One trick is to paste email text snippets into a search engine, sometimes they'll find that the email is a phish or hoax," Carey said. "Avoid clicking on links in email, especially those asking them verify any personal information such as passwords or credit cards."