Millions of email addresses were reportedly exposed to a hacker last week who broke into the world's largest email marketer's systems. What's it mean to advisors and their clients?
Epsilon issued a terse press release on April 1 about the March 30 incident, and yesterday it updated the release to say that it affected "approximately 2 percent of total clients."
Why, as an advisor, should you care? For a couple of good reasons.
First, the breach is expected to result in a phishing frenzy. (Phishing is an email deisgned to get you to submit your password and user ID to a rogue website.)
Epsilon is the world’s largest permission-based email marketing provider, sending over 40 billion emails annually and serving 2,500 clients, including Seven of the Fortune 10.
Because of the breach and Epsilon's reach, you may get more phishing emails. Advisors, since they hold personal data about themselves, need to be on guard for these phishing scams, which are getting more clever all the time.
In addition, as an advisor, you want to communicate with clients about computer security issues. It's in your interest to help clients understand security threats and use you as a trusted resource on security matters. Why?
Advisors benefit enormously from the effieciency gained by using the Web, and so do your clients. Sending clients electronic account statements and portfolio performance reports instead of paper statements and reports, for example, can you save on postage and processing and you will be able to communicate faster and using rich media.
Clients must feel secure about using the Web to manage their financial affairs, however. To the extent advisors educate clients about online security and privacy issues, they can become a helpful and authoritative resource on these issues.
The other reason advisors should be paying attention to the Epsilon case is that is a good example of how NOT to handle a security breach.
The lack of information coming out of Epsilon is causing the tech press to speculate about the how bad the breach may actually be.
The first rule of crisis management is don't cover up bad news. Let people know you have bad news. Put it out there. If someone else puts it out there, it will probably be inaccurate or sound worse than if you come clean.
Epsilon's home page, for example, should have a link to a statement from the company about the breach. It does not. Only when you go to Epsilon's "Press" page do you find a press release.
Making matters worse, Epsilon's press release makes it seem like the company is hiding something, which only fuels speculation about the breach and what's being done about it.
For example, most of the tech press is reporting "millions" of email addresses were exposed to the hacker. Epsilon has not said whether this "fact" is indeed true.
Yesterday, Epsilon updated its 80-word April 1 press release with the following footnote. "The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services."
Why is a company updating a press release with a footnote? I've never seen that before! Why not just issue another press release and provide accurate statistics on how many email addresses were expsored to the hacker? The footnote just makes things more suspicious and makes you trust Epsilon less!
It makes you speculate that 2% of Epsilon's 2500 clients is just 50 companies. Such sensitive issues should not be let to speculation.
Point is, advisors hold personal data on their clients and can benefit from watching the Epsilon breach and communicating with their clients about how they can guard against phishing attacks it is widely expected to spawn.