BreachExchange mailing list archives
Re: Fwd: [Dataloss] Epsilon Bingo [def. of PII]
From: "DAIL, WILLARD A" <ADAIL () sunocoinc com>
Date: Wed, 6 Apr 2011 05:10:30 -0700
I don't think the definition of PII has evolved, I think you are witnessing a business decision based on risk to brand reputation. In this instance the breach was by a 3rd party service provider, so the primary businesses do more to protect their reputations by announcing that someone else breached their customer's data than by having some customers eventually think it was their fault. Had this breach been at any one of the retailers listed you would have probably been hard-presses to find any sort of breach notice. The exception might be the banks. Spearphising attacks are far more likely to succeed when you recieve a correspondence from an institution where you actually have an account, so the banks would likely have a financial interest in notification (since they would ultimately have to cover the fraud associated with lost credentials), whereas the retailers would not, and so would likely follow the legal definition of PII and not notify. ________________________________________ From: dataloss-discuss-bounces () datalossdb org [dataloss-discuss-bounces () datalossdb org] On Behalf Of Jake Kouns [jkouns () opensecurityfoundation org] Sent: Tuesday, April 05, 2011 10:02 PM To: dataloss-discuss () datalossdb org Subject: [Dataloss-discuss] Fwd: [Dataloss] Epsilon Bingo [def. of PII] Lots of room for a great discussion on this topic... See below for thoughts on email address being considered PII... What do others think about it? ---------- Forwarded message ---------- From: Dave Stampley <dstampley () kamberlaw com> Date: Tue, Apr 5, 2011 at 10:06 PM Subject: Re: [Dataloss] Epsilon Bingo [def. of PII] To: Jake Kouns <jkouns () opensecurityfoundation org> Dear Mr. Kouns, Regarding whether email addresses are PII--in some quarters, email addresses have been considered PII for some time. Please consider: “Personally identifiable information” or “personal information” shall mean individually identifiable information from or about an individual including, but not limited to: (a) a first and last name;(b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name that reveals an individual’s email address; (d) a telephone number; (e) a Social Security Number; (f) a persistent identifier, such as a customer number held in a “cookie” or processor serial number, that is combined with other available data that identifies an individual; or (g) any information that is combined with any of (a) through (f) above. In the Matter of Microsoft Corporation, Federal Trade Commission, File No. 012 3240, Docket No. C-4069, Agreement Containing Consent Order, Aug. 8, 2002, pp. 2-3, http://www.ftc.gov/os/caselist/0123240/microsoftagree.pdf; accord In the Matter of Eli Lilly and Company, Assurance of Voluntary Compliance and Discontinuance, Attorneys General of the States of California, Connecticut, Idaho, Iowa, Massachusetts, New Jersey, New York, and Vermont, p. 7 n.3, July 2002, http://supplierportal.lilly.com/SiteCollectionDocuments/Multi_State_Order.pdf. Thanks for the datalossdb. Regards, Dave David A. Stampley | KamberLaw, LLC 100 Wall St., 23rd Fl., New York, NY 10005 tel 212.920.3072 | fax 212.920.3081 dstampley () kamberlaw com | www.kamberlaw.com CONFIDENTIALITY AND LIABILITY FOR MISUSE. The information contained in this communication is the property of KamberLaw, LLC. It is confidential, may be attorney work product, attorney-client privileged or otherwise exempt from disclosure under applicable law, and is intended only for the use of the addressee(s). Unauthorized use, disclosure or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please notify KamberLaw, LLC immediately by return e-mail and destroy this communication and all copies thereof, including all attachments. Pursuant to requirements related to practice before the U.S. Internal Revenue Service, any tax advice contained in this communication (including any attachments) is not intended to be used, and cannot be used, for purposes of (i) avoiding penalties imposed under the U.S. Internal Revenue Code or (ii) promoting, marketing or recommending to another person any tax-related matter. On 4/5/11 9:27 PM, Jake Kouns wrote: http://datalossdb.org/incident_highlights/52-epsilon-bingo By now, everyone has probably read about a company named Epsilon. In fact, most people likely have second hand involvement, receiving one or more emails from companies you do business with warning you to be very careful after a recent incident. Most of these companies have used a similar form letter explaining the concerns and that you should be "cautious of phishing e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information." These notifications stem from Epsilon, a managed e-mail broadcasting company, getting compromised and having all of their customer e-mail addresses copied. We have received a few emails from people asking us how we could have missed the Epsilon breach and why it isn't on our site. Well, it actually is on the site as we do follow incidents such as this, however, it is listed as a Fringe incident. Why “Fringe”? From what we can tell so far, the breach (while unacceptable) is contained to Names and Email Addresses. We do recognize that this information may increase the risk to customers as targeted spearphishing attempts may be more successful, however, there is no loss of PII. We have debated this topic for years and instead of not including them in DataLossDB, they are now just labeled Fringe. There will be more debate on the severity of this incident for sure. Some think it is critical and others merely say that their email address was never meant to be private anyways. There are good arguments supporting both sides of the debate. We will be continuing to add all of the affected organizations as we learn about them, and you can see the incident here: http://datalossdb.org/incidents/3540 When Epsilon posted the notice on their site they mentioned: "On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system." As on April 4th, they have now have updated the definition of “subset” to mean "The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services." As of today, we are aware of a little over 40 companies affected and more notices are pouring in from users. As to how many users are impacted that is anyone’s guess. Our guess is A LOT. If you want to read some of the notices we have received, over a dozen are on our mailing lists archives: http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html For those that want to play along, we have decided to make some Epsilon Bingo Cards. If you are able to fill up a whole card and prove it with the notices we might have to give you a prize... that is the least we could do, right? As always, please keep sending us any notices that we are missing so that we may better gauge the scope of this incident and update the cards. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/ _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/ _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Epsilon Bingo Jake Kouns (Apr 05)
- Re: [Dataloss] Epsilon Bingo Jeffrey Walton (Apr 05)
- Message not available
- Fwd: [Dataloss] Epsilon Bingo [def. of PII] Jake Kouns (Apr 05)
- Re: Fwd: [Dataloss] Epsilon Bingo [def. of PII] DAIL, WILLARD A (Apr 06)
- Fwd: [Dataloss] Epsilon Bingo [def. of PII] Jake Kouns (Apr 05)
- Re: [Dataloss] Epsilon Bingo Craig Spiezle (Apr 05)