April Fool’s Day 2011 will go down in history as one of the worst April Fool’s Days in history. For on this past April Fool’s Day, the Epsilon Data Management breach was announced. At first, it was considered just another April Fool’s Day Internet joke, but it has since turned out to be anything but funny. More than 60 organizations have been affected by this breach and the count just keeps going up.
According to Epsilon’s parent’s news release on April 6, the good news is that Epsilon personnel detected the breach quickly and shut it down. However, the attacker got away with 2% of Epsilon’s database for email generation. When you consider that an organization like Epsilon has around 300M or more email addresses in its database, a 2% loss is still a large number at six million plus. But this breach is the gift that keeps on giving, so there could be more to the story as time goes on.
The thing I found the most interesting is that Epsilon has reiterated in all of their statements that no personally identifiable information (PII) was released in this breach. However, what Epsilon has been very silent about is whether or not demographic information was taken as a result of the breach. Demographic information is not PII, so their statements to the press are accurate. However, their statements, no matter how accurate, may be misleading if demographic information was obtained. Based on my work with companies like Epsilon and how they operate, one has to assume that there was demographic information taken in addition to names and email addresses.
One of the first questions I got regarding the Epsilon breach is whether or not it mattered for PCI? After all, no PII was released, so what is the big deal? I was stunned. Of course it matters, it matters a lot. I reminded those who questioned this that while the Epsilon breach did not release any PII, the attackers likely have enough information in their possession to mount the mother of all spear phishing attacks to obtain the PII from the source.
But even with all of that, the Epsilon breach offers some good lessons regarding PCI compliance and why you should be doing what the PCI DSS requires.
- Security is not perfect. I know I keep beating the drum about this, but people still seem to think that security is perfect or they think that I am just trying to give myself an out when a breach occurs. However, this statement has never been truer. While I cannot personally attest to the level of Epsilon’s security and procedures, the information released thus far seems to indicate that Epsilon’s security was above average. I base this on the facts that the breach occurred on March 30, was announced on April 1, that only 2% of their data was compromised and only their email system was involved. If they were not doing the right things, then all of this information would have been a very long time coming. However, even with an above average security posture, Epsilon was still breached.
- Monitoring matters. Epsilon appears to have caught this breach quickly because they must have been monitoring their network and systems. What this incident points out is that even when you are monitoring your environment, it takes a while to recognize that a breach is in progress and then act upon that information. As a result, information was still obtained by the attacker.
- Logging matters. As I stated in my comments regarding security not being perfect and monitoring, there is just too much information about this breach to believe that Epsilon was not doing an appropriate amount of logging. In addition, if I had to guess, they were also likely analyzing their logs in real-time which is why they so quickly identified the breach and were able to determine how much information was likely involved. The bottom line is that with this excess of information available for analysis, Epsilon was able to identify and isolate the breach.
- An incident is never good. Someone once said, “Bad publicity is better than no publicity at all.” Unfortunately, when a breach occurs, the bad publicity generated does no one any good that is associated with the breach. However, this leads to my last learning point.
- Incident response planning matters. Look at how this incident has been handled and how quickly it was handled. This was not done be a group of people navigating this incident by the seat of their pants. This incident was planned for and they are working their plan. Since the incident was identified and quantified quickly, they issued a press release as soon as they could with a lot of information. Yes, this could all still be theater, but I highly doubt it. There has just been too much information and knowledge shared to think it is all a show.