Why The Email Breach Of Epsilon Is A Big Deal And What Does It Mean To Advisors And Their Clients

Monday, April 04, 2011 18:49
edit
Why The Email Breach Of Epsilon Is A Big Deal And What Does It Mean To Advisors And Their Clients

Tags: client communications | privacy; security

Millions of email addresses were reportedly exposed to a hacker last week who broke into the world's largest email marketer's systems. What's it mean to advisors and their clients?

 

This Website Is For Financial Professionals Only


 

 

Epsilon issued a terse press release on April 1 about the March 30 incident, and yesterday it updated the release to say that it affected "approximately 2 percent of total clients."

 

Why, as an advisor, should you care? For a couple of good reasons.

 

First, the breach is expected to result in a phishing frenzy. (Phishing is an email deisgned to get you to submit your password and user ID to a rogue website.)

 

Epsilon is the world’s largest permission-based email marketing provider, sending over 40 billion emails annually and serving 2,500 clients, including Seven of the Fortune 10.

 

Because of the breach and Epsilon's reach, you may get more phishing emails. Advisors, since they hold personal data about themselves, need to be on guard for these phishing scams, which are getting more clever all the time. 

 

In addition, as an advisor, you want to communicate with clients about computer security issues. It's in your interest to help clients understand security threats and use you as a trusted resource on security matters. Why?

 

Advisors benefit enormously from the effieciency gained by using the Web, and so do your clients. Sending clients electronic account statements and portfolio performance reports instead of paper statements and reports, for example, can you save on postage and processing and you will be able to communicate faster and using rich media.

 

Clients must feel secure about using the Web to manage their financial affairs, however. To the extent advisors educate clients about online security and privacy issues, they can become a helpful and authoritative resource on these issues.

 

The other reason advisors should be paying attention to the Epsilon case is that is a good example of how NOT to handle a security breach.

 

The lack of information coming out of Epsilon is causing the tech press to speculate about the how bad the breach may actually be.

 

The first rule of crisis management is don't cover up bad news. Let people know you have bad news. Put it out there. If someone else puts it out there, it will probably be inaccurate or sound worse than if you come clean.

 

Epsilon's home page, for example, should have a link to a statement from the company about the breach. It does not. Only when you go to Epsilon's "Press" page do you find a press release.

 

Making matters worse, Epsilon's press release makes it seem like the company is hiding something, which only fuels speculation about the breach and what's being done about it. 

 

For example, most of the tech press is reporting "millions" of email addresses were exposed to the hacker. Epsilon has not said whether this "fact" is indeed true.

 

Yesterday, Epsilon updated its 80-word April 1 press release with the following footnote. "The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services."

 

Why is a company updating a press release with a footnote? I've never seen that before! Why not just issue another press release and provide accurate statistics on how many email addresses were expsored to the hacker? The footnote just makes things more suspicious and makes you trust Epsilon less!

 

It makes you speculate that 2% of Epsilon's 2500 clients is just 50 companies. Such sensitive issues should not be let to speculation.

 

Point is, advisors hold personal data on their clients and can benefit from watching the Epsilon breach and communicating with their clients about how they can guard against phishing attacks it is widely expected to spawn.

 

Comments (1)

...
rogerb540
Over the past three days, several well known clients have provided valid information on receiving this email breach warning from companies such as Chase, Barclays Bank of Delaware, and Best Buy. Several items that each client had in common were ...1)all had longstanding business relationships via credit card and/or purchases, 2) each registed email addresses and used EFT to make payments, and 3) that their email notifications about Epilson were very similar.
Most disturbing to the clients was the phrasing such as ..."Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that "included" your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.
Epsilon has assured us that the only information that was obtained was your name and email address. Please be assured your account and any other confidential or personally identifiable information were not at risk."

FYI. RB 4/05/11
rogerb540 , April 05, 2011

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy