What Can We Learn From The Epsilon Breach?

April Fool’s Day 2011 will go down in history as one of the worst April Fool’s Days in history.  For on this past April Fool’s Day, the Epsilon Data Management breach was announced.  At first, it was considered just another April Fool’s Day Internet joke, but it has since turned out to be anything but funny.  More than 60 organizations have been affected by this breach and the count just keeps going up.

According to Epsilon’s parent’s news release on April 6, the good news is that Epsilon personnel detected the breach quickly and shut it down.  However, the attacker got away with 2% of Epsilon’s database for email generation.  When you consider that an organization like Epsilon has around 300M or more email addresses in its database, a 2% loss is still a large number at six million plus.  But this breach is the gift that keeps on giving, so there could be more to the story as time goes on.

The thing I found the most interesting is that Epsilon has reiterated in all of their statements that no personally identifiable information (PII) was released in this breach.  However, what Epsilon has been very silent about is whether or not demographic information was taken as a result of the breach.  Demographic information is not PII, so their statements to the press are accurate.  However, their statements, no matter how accurate, may be misleading if demographic information was obtained.  Based on my work with companies like Epsilon and how they operate, one has to assume that there was demographic information taken in addition to names and email addresses.

One of the first questions I got regarding the Epsilon breach is whether or not it mattered for PCI?  After all, no PII was released, so what is the big deal?  I was stunned.  Of course it matters, it matters a lot.  I reminded those who questioned this that while the Epsilon breach did not release any PII, the attackers likely have enough information in their possession to mount the mother of all spear phishing attacks to obtain the PII from the source.

But even with all of that, the Epsilon breach offers some good lessons regarding PCI compliance and why you should be doing what the PCI DSS requires.

  • Security is not perfect. I know I keep beating the drum about this, but people still seem to think that security is perfect or they think that I am just trying to give myself an out when a breach occurs.  However, this statement has never been truer.  While I cannot personally attest to the level of Epsilon’s security and procedures, the information released thus far seems to indicate that Epsilon’s security was above average.  I base this on the facts that the breach occurred on March 30, was announced on April 1, that only 2% of their data was compromised and only their email system was involved.  If they were not doing the right things, then all of this information would have been a very long time coming.  However, even with an above average security posture, Epsilon was still breached.
  • Monitoring matters. Epsilon appears to have caught this breach quickly because they must have been monitoring their network and systems.  What this incident points out is that even when you are monitoring your environment, it takes a while to recognize that a breach is in progress and then act upon that information.  As a result, information was still obtained by the attacker.
  • Logging matters. As I stated in my comments regarding security not being perfect and monitoring, there is just too much information about this breach to believe that Epsilon was not doing an appropriate amount of logging.  In addition, if I had to guess, they were also likely analyzing their logs in real-time which is why they so quickly identified the breach and were able to determine how much information was likely involved.  The bottom line is that with this excess of information available for analysis, Epsilon was able to identify and isolate the breach.
  • An incident is never good. Someone once said, “Bad publicity is better than no publicity at all.”  Unfortunately, when a breach occurs, the bad publicity generated does no one any good that is associated with the breach.  However, this leads to my last learning point.
  • Incident response planning matters. Look at how this incident has been handled and how quickly it was handled.  This was not done be a group of people navigating this incident by the seat of their pants.  This incident was planned for and they are working their plan.  Since the incident was identified and quantified quickly, they issued a press release as soon as they could with a lot of information.  Yes, this could all still be theater, but I highly doubt it.  There has just been too much information and knowledge shared to think it is all a show.

8 Responses to “What Can We Learn From The Epsilon Breach?”

  1. 1 Ns
    April 14, 2011 at 3:06 PM

    Does anyone know if Wells Fargo is PCI compliant? To become PCI compliant we have decided to outsource the credit card handling to 3rd aprty. Business currently works with Wells Fargo. We have asked business if Wells Fargo is PCI compliant and if Wells Fargo can help business change the process. I looked on the VISA website and Wells Fargo is not listed there. So wanted to know if anyone can verify if Wells Fargo is PCI complaint?

  2. 2 ww
    April 14, 2011 at 6:07 AM

    As of april 14, 2011 the only company that has warned me was Scottrade. Not Walgreens, citi, or a host of others that supposidly were involved. My only tip was Scottrade. cudos to Scottrade. Rasberries to all the others that are hiding from involvement.

  3. 3 JJ
    April 10, 2011 at 10:33 AM

    I guess it depends on how they defined “clients”. 2% of 2,500 = 50. The list is at 99 now. Maybe they defined each discrete email address as a “client”.

    • April 11, 2011 at 6:02 AM

      My understanding was that it was 2% of their database of email addresses, not 2% of their customers’ that had email addresses. If you figure they had around 300M email addresses, that works out to around 6M email addresses breached versus 2% of 100 customers which would be 2.

  4. 5 JJ
    April 9, 2011 at 9:03 PM

    “Detected” and “Started” are not necessarily synonymous. I agree with your comment, though. There are only two correct answers to the question of “Have you experienced a breach? ”

    “Not that we know of.” and “Yes.”

    Any other answer is either an intentional lie or incompetence.

    • April 10, 2011 at 9:40 AM

      Agreed. However, if you look at the fact that only 2% of the data was taken and Epsilon had upwards of 300M records, the breach couldn’t have been going on for too long.

  5. April 9, 2011 at 7:44 PM

    The press release that Epsilon issued on April 1 stated that the breach was detected on March 30.

    Whether this was the first or second breach is almost pointless to argue. Ask any large organization if they have suffered a breach in the last 24 months. If they tell you ‘No’, they have to be lying because the statistics say they had one. Then there is just personal experience that says they had to have had at least one breach in the last 24 months. Now, was it as large as the Epsilon breach or through the Internet, probably not. But they all have had at least one breach in the last 24 months.

  6. 8 JJ
    April 9, 2011 at 6:46 PM

    Has Epsilon actually said how fast they detected it? Being a natural skeptic, I find the write-up here more plausible: http://www.databreaches.net/?p=17340 – Was this Epsilon’s first breach – or its second? (update2)

    “Yesterday, I contacted Walgreens to ask directly, among other questions, whether their December notification to customers was due to SilverPop or Epsilon. A Walgreens’ spokesperson responded:

    “After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.””

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


April 2011
« Mar   May »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: