Another major security breach, this time at the email marketing company Epsilon, has underscored the threat banks face when they outsource services that are not normally considered sensitive.
The breach, which occurred March 30 and which Epsilon reported Friday, exposed the names and email addresses of Epsilon clients' customers. Those clients included several major banks.
"This should be a wake-up call for banks about outsourcing their supposedly low-value [marketing] email," said Avivah Litan, of the research firm Gartner Inc. Banks "have to think twice about outsourcing, especially if they have the wherewithal and resources not to."
The Epsilon incident came barely two weeks after the disclosure of a major attack against EMC Corp.'s RSA Security. While the Epsilon attack is less serious, experts said, it gives hackers valuable information that they can use to craft targeted phishing attacks.
Such attacks are known as "spear phishing." As opposed to regular phishing attacks, which are essentially randomly transmitted spam, spear phishing attacks target victims whose banks or employers are known to the hacker.
Epsilon, a unit of Alliance Data Systems Corp. of Irvington, Texas, reportedly sends out billions of emails a year for thousands of top corporations. Among the banks affected were JPMorgan Chase & Co., Citigroup Inc., Capital One Financial Corp., Barclays PLC and U.S. Bancorp.
In an emailed statement, Epsilon said, "The information that was obtained was limited to email addresses and/or customer names only." Epsilon would not otherwise discuss the attack except to say it was an "unauthorized entry."
Outsourcing does not necessarily mean putting customer data at risk. Visa Inc., for example, said it kept control of such data even though it hired Epsilon for certain parts of a rewards program.
"The Visa Extras program is unaffected by the incident," Visa said by email. "Because Visa takes security and the protection of account holder information extremely seriously, all the databases, applications and servers maintained by Epsilon for the Visa Extras program have always been completely separate systems, and thus were not in any way involved in the March 30th incident."
Affected banks need to craft a careful message to consumers, experts said. The banks must remind consumers that they might receive suspicious email claiming to be from others involved in the breach — even if, for legal considerations, the banks decide not to name those other affected parties.
Otherwise, "it is a reinforcement of the same messages banks have so effectively pushed out regarding phishing: If something does not look or feel right, don't click on it," said Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.
The problem does not stop with consumers, as the RSA incident demonstrates. According to Litan, the RSA breach occurred after an employee opened an email attachment that was hiding malware.
(EMC announced Monday that it has acquired NetWitness Corp., a Reston, Va., company that provides network notification of advanced attacks — such as the one launched against RSA.)
The attack against Epsilon could similarly hurt other companies, as hackers could easily search the email addresses they've stolen for corporate domains and go after the vastly lucrative information stored behind company firewalls.
"If you are able to breach the company itself, there are lot of things, like business plans, banking and credit card information, and other kinds of private information that is supposed to be secure," said George Tubin, a senior research director with TowerGroup.
In a press release Saturday, Capital One said it was "actively communicating with our customers, including providing them with information about how to help protect themselves from potential fraudulent activity."
"It is very debilitating to companies who have had a data breach," said James Van Dyke, a co-founder and the president of Javelin Strategy and Research. Among the things banks must be wary of is the risk of consumer fear and alienation; customers may lose trust in an institution, Van Dyke said, and they may no longer wish to use the credit or debit card of a bank that has notified them of a breach.
Litan said the breach also points to the need for banks and others to develop security standards around personally identifiable information, such as exists for card transactions through the Payment Card Industry standard. "Information is gold," Litan said.
