Theft of customer email addresses made headlines across mainstream media multiple times in the last few months, and it may not be as uncommon an occurrence as some believe. A recent report from Proofpoint, an email security supplier, found 35% of US companies investigated a suspected email leak of confidential or proprietary information in the past 12 months. ?
Data breaches at several email service providers (ESPs) in the last six months have exposed millions of customer email addresses, including 18 million at American Honda Motor Co. and deviantART, from a breach at email marketing firm Silverpop late last year, according to reports. More addresses were exposed in April during a data breach at Epsilon, impacting customers at dozens of companies including JPMorgan Chase & Co., Target, Marriott International and Hilton Hotels & Resorts.?
The need for protection and prevention around data security needs to be addressed on the business side of the house, as well as the IT side, says Dave Lewis, CMO of Message Systems and co-chair of the Online Trust Alliance. JPMorgan Chase, for example, sent an email alerting customers of the breach at Epsilon, warning them not to respond to email requests for personal information. “The security of your information is a critical priority to us and we strive to handle it carefully at all times,” the email read.?
Marketers are rethinking their use of email service providers, says Lewis, because they are ultimately held responsible by the customer.?
Bryan Kennedy, CEO of Epsilon, told Direct Marketing News it had not lost any clients due to the incident and that it took the experience seriously. In a statement, Epsilon also said it was working with federal authorities to investigate the source of the unauthorized entry to its system that impacted 2% of its customer base.?
Silverpop declined further comment beyond its issued statements.?
Keith Crosley, director of market development for Proofpoint, believes marketers should look closer at security controls and processes used by their third-party vendors. Email addresses by themselves haven’t been considered personally identifiable information (“PII”). However, Crosley says they’re seeing efforts by attackers to exploit softer targets to expose email addresses and passwords.?
Businesses affected by a data loss of the email, name and address variety are less likely to see substantial customer backlash, says Mark McCreary, a corporate practice and privacy law attorney at Philadelphia-based Fox Rothschild LLP. The stakes are higher when bank, credit or personal information is lost. ?
“But there is genuine value in having an email associated with a certain company,” McCreary relates. “To know that [email protected] is a Tivo customer creates a verifiable connection between the owner of that email address and the criminal sending a phishing email to that person.”?
“Targeted mail attacks are always sent in low volumes, targeting specific individuals within organizations,” says Paul Wood, senior analyst at Symantec. “The greatest risk is when email addresses and passwords are reused. An email address is the key to accessing a social networking profile. A criminal with access to a user’s email account can reset passwords for other services.”?
Data security breaches will always be a part of the industry, Lewis states. Bad behaviors follow the money, and data is the new currency. “We’ve talked about things like email authentication for years and not gotten the attention of CMOs,” relates Lewis. “This one has broken through, and if it’s channeled for change, I think it is ultimately healthy.”