After blogging about BP’s lost laptop this morning I was checking my mail and discovered a note from one of my financial institutions about a breach at bulk email sender Epsilon that impacts me. Three of the largest credit card issuers in the U.S. (as well as Tivo) had their customer’s name/email address combo stolen from Epsilon. For someone like me, whose email address is readily discoverable already) I doubt this means much. But for anyone who diligently keeps their email address out of the public eye to avoid SPAM, this breach likely means your email address will be sold to spammers and you can expect a major uptick in SPAM. For example, my wife has two email addresses. One is her serious address and the other is used in situations where commercial emails (unsolicited or solicited) would be common, or public forums where spammers might get their hands on the email address. As a result her primary email address gets little spam while her secondary address is flooded. Has the breach of Epsilon made her diligence all for nought?
A more serious complication may be the more effective crafting of Phishing attacks. For example, when I get email claiming to be from Capital One saying that my account has been compromised and I need to click on some link to change my password I laugh at it. I am not a Capital One customer and thus without even reading the mail message I know this is a Phishing attack (trying to get me to reveal my personal data thinking I was revealing it to Capital One). But when I get the same mail claiming to be from a bank I do have an account at I need to read it very carefully to see if it is a Phishing email. And then even if I think the mail is real I still don’t click on any links, I type the URL of my bank into the browser directly. I assume the theft from Epsilon associates the name and email address with the financial institution who gave it to Epsilon, in which case the bad guys know what financial institution I have an account with. This will let them target anyone whose data was lost with Phishing emails that look more like something their financial institution would actually send them. For example, say your email address is firstname.lastname@example.org and you have a Capital One credit card. Not only will the bad guys know that they should flood you with email that looks like it comes from Capital One, they will know they can personalize the message with your name (e.g., Dear Mr. Jones rather than Dear Customer”) making it less likely that your “spidey sense” will make you question the email’s validity. If they keep tweaking and tuning that email they send you every day or week they’ll get it through both your email system’s phishing filters and your own sense of what is real and what is fake and get you to do what they want!
What can be done about all this? Obviously the technological defenses on all fronts need to continue to be beefed up. And despite my revulsion to increased legal or regulatory interference I do wonder if the cost of a company losing personal information is too low relative to the damage it causes. Certainly making it unlawful to share my personal information with any party that I don’t explicitly agree to allow you to share it with would be one step. Today it all rather murkily described in multi-page privacy policies and difficult (ie, get on the phone and be on perpetual hold) opt-out mechanisms, if it is even possible to opt-out. That may have to change.