7 Tips to Avoid e-Mail CompromisePost-Epsilon, Experts Share Steps to Ensure Brand Integrity
Epsilon, an online marketing unit of Alliance Data Systems Corp., announced April 1 that an outside intrusion had hacked into some of its customer files. Epsilon sends e-mail campaigns and offers to consumers who register for a company's website or who give their e-mail addresses while shopping. The company sends more than 40 billion e-mails annually and also runs loyalty programs for credit card users.
So far, more than 65 companies are confirmed or suspected of being affected by the breach. [See, Epsilon: The Impacted Companies.] While e-mail addresses themselves are not considered sensitive information, the hacker's ability to associate those e-mail addresses with other information is a concern, says Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon University. "The e-mail address by itself does not have that much value. But when you combine the e-mail address with other information, it's easy for fraudsters to turn that combined information into cash," Christin says.
'Massive Spear Phishing'Mark Bower, a data security expert for Voltage Security, says the fact that hackers were able to access e-mail addresses and consumer affiliations with specific companies creates a "high-risk" phishing concern. "It gives the attackers and the spear phishers something much more meaty to go after," Bower says. "Now they can send an e-mail asking if the consumer is a customer of a specific bank or retailer or hotel," and then direct consumers to targeted malicious links. "We all think about e-mail addresses as being fairly benign; but when you think about e-mail addresses being affiliated with a mortgage company or a bank, then you can see how a hacker can put information together to turn that data that is benign on the surface into cash.
"We are going to see massive spear phishing attacks from this," he adds.
The problem with the Epsilon breach, Bower says, is that involves so many well-known organizations and trusted brands. "This could impact the brands themselves, even though it was not the brands, but rather a third party, that was hacked."
Nevertheless, the brands have to respond, and many have. Several companies have e-mailed notices to their customers, alerting them to the breach and advising them to be on guard for phishy correspondence.
E-mail notices are more efficient than phone calls and snail mail, but companies need to be careful they don't open their customers to new risks, or further impact their brands in a negative way.
"Organizations have to be careful of sending out e-mails that include links," Bower says. "They have to think about how they can instill confidence and trust, and ensure customers feel confident clicking on a link and knowing it's coming from their bank."
7 TipsIn the wake of the Epsilon breach, experts offer these tips to organizations regarding e-mail addresses and correspondence:
- Send Only Secure e-mail. When sending correspondence to customers, include something only they would know, such as an image or some predetermined bit of information. Obviously, this would have to be an image or information that a hacker could not access if e-mail databases were compromised.
- Urge Compartmentalization. Recommend that customers compartmentalize their e-mail use -- meaning use different e-mail addresses for sensitive transactions related to work and tax-filing than they use when signing up for promotional offers online.
- Practice Transparency. Tell customers exactly how you plan to use the e-mail addresses you collect. Customers should know the names of every third party you use for e-mail services, and they should understand how their e-mail addresses are stored and shared.
- Use a Familiar Domain. Re-evaluate the common practice of relying on third parties to manage and send e-mails. When promotional e-mails go out to customers, the sending domains should not be unrecognizable. "Some e-mails from my bank look like phishing e-mails," Christin says, "because they are coming from a third party that does not use the same domain." The subject line or body of the e-mail may include some information about the bank, but there is no other indicator that the e-mail is legitimate, he says.
- Take Pains to Ensure Security. Any company that works with a third party should ensure the security of all customer data. Understand how customer information is being stored and ensure it is protected on an internal basis.
- Limit Access. Restrict internal access to customer files and databases. "Only those who need access to certain bits of information should have access," Bower says. "That's the best way to control these kinds of problems from reoccurring."
- Educate, Educate, Educate. Be ever vigilant in the effort to educate customers about phishing and how not to answer suspicious e-mails. Organizations must consistently remind consumers that sharing personal data and information online should be limited if not eliminated.
Living with Breaches: A Modern Reality"People have to realize that privacy online is hard to maintain," Christin says. "Consumers should be very much on the defensive."
It's a message the industry has heard and shared for years. "The fraudsters are always five steps ahead, so we need to be prepared and assume that any endpoint can be compromised," says Aite Analyst Julie McNelley.
Data breaches are not going to end, and there is risk, Bower says, of the industry fatiguing from the weight. Reducing the risk is the best way to avoid fallout. That means putting privacy and integrity of all data first -- including e-mails.
"Banks and organizations should build data protection into their costs. I think data breaches themselves are almost reaching epidemic proportions, whether it's healthcare systems or, in the is case, e-mail systems," Bower says. "At the end of the day, phishing is always going to be a problem, but with the right technologies and practices applied, the risk of it becoming an epidemic can be reduced."