This story appeared on Network World at
http://www.networkworld.com/columnists/2011/041311-bradner.html

Epsilon breach: When should almost public info be private?

'Net Insider By Scott Bradner, Network World
April 13, 2011 09:41 AM ET

A press feeding frenzy followed the somewhat vague April Fools Day announcement by Epsilon Data Management that someone had hacked into its systems and stolen a bunch of email addresses. The addresses were of people who had "opted in" for email marketing by a bunch of major vendors such as Target and Red Roof Inns, and many of the vendors sent announcements of the breach to their customers (I got such an announcement from a vendor I had purchased a present from for my wife. The announcement did not say all that much, essentially it told me to "be careful".).

Was this an important breach? What should you do if you have amassed a pile of such information?

We did not find out all that much about the Epsilon Data Management breach from the first press release (other than to say that the company did not quite live up to the promise of its corporate name). And the second press release did not add much actual data.

It seems to me that it would be better for Epsilon to be more forthcoming as to the scale of the breach and other details.

It might be fun to try to figure out why the press found this breach so interesting. (This publication had 10 articles on it and Google News picks up over 3,000.) By any objective measure, loss of a bunch of email addresses pales in comparison to what else has been going on - for example the breach at Ohio State University that may have exposed 760,000 names and Social Security numbers of current and former Ohio State "faculty, students and staff as well as applicants and other individuals who have been associated with the university."

The Ohio State breach seems to have gone unnoticed by most technical publications.

The biggest threat from the Epsilon breach to those whose email addresses were stolen is that you may receive better-targeted phishing attempts. RSA's description of how their recent breach happened does show that the risks of phishing attacks can be quite real. But the risk with exposing email addresses will always be far less than with exposed SSNs since so many institutions, such as banks, think that anyone with the knowledge of your name and SSN must be you - a stunningly stupid, and common, assumption.

But there clearly is a lesson that enterprises should learn from the Epsilon situation - any enterprise that stores any significant amount of information that some part of the public might consider to be, to some degree, private needs to actually protect that information from theft.

One example of a reasonable best practice for protecting private information is the Payment Card Industry's Data Security Standards (PCI DSS).

A lot in the PCI DSS might be overkill if you are only protecting a database full of names and email addresses, but the basic system architecture makes a lot of sense. For example, you should not store any confidential information on any Web server - ever. If you do need to store confidential data, it should be stored on a backend database with a firewall between the database and any Web server, and between the database and any enterprise users.

Such protections do not always prevent hackers from being successful, but they do make things harder for the hacker and give you a better story to tell if you do get hacked.

Disclaimer: Harvard has classes on how to tell stories but I have not taken that class or asked the instructors about the above story, so it must be my own.