Re: [Dataloss] Epsilon Bingo

[Jeffrey Walton <noloader () gmail com>]

Ji Jake,

> We have received a few emails from people asking us how we could have
> missed the Epsilon breach and why it isn't on our site. Well, it
> actually is on the site as we do follow incidents such as this,
> however, it is listed as a Fringe incident. Why “Fringe”? From what we
> can tell so far, the breach (while unacceptable) is contained to Names
> and Email Addresses. We do recognize that this information may
> increase the risk to customers as targeted spearphishing attempts may
> be more successful, however, there is no loss of PII. We have debated
> this topic for years and instead of not including them in DataLossDB,
> they are now just labeled Fringe. There will be more debate on the
> severity of this incident for sure. Some think it is critical and
> others merely say that their email address was never meant to be
> private anyways. There are good arguments supporting both sides of the
> debate.
There's a lot going on in this paragraph :)

First, email adresses are usually considered pubic information. In
Maryland (my residence), a name and email adress does not qualify as
PII.

Second, the project is the Dataloss DB - and not the PII-Loss DB. In
my mind's eye, data is PII, {customer names, addresses, email
addresses}, and even company secrets. But I suppose the project's
charter is the ultimate arbitrator.

If a company experiences a breach of security and looses data, I think
its great that the project records the loss and makes it available.
Though I'm grateful for *only* PII - I prefer to follow all losses and
the underlying cause of the breach. So categories of 'PII', "Fringe",
ad "Other" works for me ;)

In addition to Epsilon and its loss, I would also consider Apple/AT&T
for inclusion. The Apple/AT&T loss was similar in scope to Epsilon in
that public data (email addresses) were lost. The Apple/AT&T incident
was due to a defective security and access control system protecting
an information system hanging off the *public* internet. The bottom
line is that Apple/AT&T did not protect a segment of its customer
information and lost some of it.

As a side note, I am also interested in the firm which performed the
audit (if audits are required). Cozy relationships are a recipe for
disaster, and auditors should also be held accountable. I still
remember Enron/Arthur Andersen.

Jeff

On Tue, Apr 5, 2011 at 9:27 PM, Jake Kouns
<jkouns () opensecurityfoundation org> wrote:
> http://datalossdb.org/incident_highlights/52-epsilon-bingo
>
> By now, everyone has probably read about a company named Epsilon. In
> fact, most people likely have second hand involvement, receiving one
> or more emails from companies you do business with warning you to be
> very careful after a recent incident. Most of these companies have
> used a similar form letter explaining the concerns and that you should
> be "cautious of phishing e-mails, where the sender tries to trick the
> recipient into disclosing confidential or personal information." These
> notifications stem from Epsilon, a managed e-mail broadcasting
> company, getting compromised and having all of their customer e-mail
> addresses copied.
>
> We have received a few emails from people asking us how we could have
> missed the Epsilon breach and why it isn't on our site. Well, it
> actually is on the site as we do follow incidents such as this,
> however, it is listed as a Fringe incident. Why “Fringe”? From what we
> can tell so far, the breach (while unacceptable) is contained to Names
> and Email Addresses. We do recognize that this information may
> increase the risk to customers as targeted spearphishing attempts may
> be more successful, however, there is no loss of PII. We have debated
> this topic for years and instead of not including them in DataLossDB,
> they are now just labeled Fringe. There will be more debate on the
> severity of this incident for sure. Some think it is critical and
> others merely say that their email address was never meant to be
> private anyways. There are good arguments supporting both sides of the
> debate.
>
> We will be continuing to add all of the affected organizations as we
> learn about them, and you can see the incident here:
> http://datalossdb.org/incidents/3540
>
> When Epsilon posted the notice on their site they mentioned: "On March
> 30th, an incident was detected where a subset of Epsilon clients'
> customer data were exposed by an unauthorized entry into Epsilon's
> email system."
>
> As on April 4th, they have now have updated the definition of “subset”
> to mean "The affected clients are approximately 2 percent of total
> clients and are a subset of clients for which Epsilon provides email
> services."
>
> As of today, we are aware of a little over 40 companies affected and
> more notices are pouring in from users. As to how many users are
> impacted that is anyone’s guess. Our guess is A LOT.
>
> If you want to read some of the notices we have received, over a dozen
> are on our mailing lists archives:
> http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html
>
> For those that want to play along, we have decided to make some
> Epsilon Bingo Cards. If you are able to fill up a whole card and prove
> it with the notices we might have to give you a prize... that is the
> least we could do, right?
>
> As always, please keep sending us any notices that we are missing so
> that we may better gauge the scope of this incident and update the
> cards.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/