Epsilon Breach May Finally Force Data Handling Rule Changes—And It’s Only About Five Years Late

Written by Evan Schuman
April 6th, 2011

The massive Epsilon E-mail data breach—which has sent to cyberthieves E-mail addresses from the files of Target, Best Buy, Kroger, Walgreens, Home Depot Credit Card, HSN, Marks and Spencer, New York & Co., Brookstone, Eddie Bauer, Ethan Allen, Fry’s Electronics and countless other retailers—may be what finally pushes chains to insist that PCI-like rules be applied to all corporate information and not merely payment data.

Epsilon is merely the latest in a series of publicized, highly embarrassing incidents for retailers where they are taking a consumer black eye for breaches, ethically questionable activities or gaping security holes that were entirely handled by third parties. Whether it’s supply-chain management holes perpetrated on a multi-billion-dollar retail chain, SEO efforts against JCPenney or data-backup screw-ups that crippled the American Eagle Outfitter’s site for eight days, retail IT execs are learning that as long as they are going to be blamed for what third-parties do in their names, they might as well take a much more active role in beefing up protection of all customer data.

Contractual language requiring performance levels and appropriate procedures is nice, but it does little to prevent disasters. Actively spot-checking performance, with IT staff periodically doing sneak inspections with all third parties that handle crucial data, would be a move in the right direction. But by themselves, audits are expensive (and thus undercut much of the business case for outsourcing these functions in the first place) and don’t really solve the problem unless the standards for handling that data are raised.

And it is a problem, even if a retailer’s IT group isn’t even slightly at fault. How many consumers this week firmly believe that it was Best Buy or Walgreens that suffered an E-mail data breach? Most of the chains did everything they could to throw Epsilon under whatever bus could be found, not that it’s doing much good with consumer perceptions.

Best Buy’s statement was typical, with a headline that said “Best Buy E-mail Vendor Epsilon Reports That Some Best Buy Customer E-Mail Addresses Were Accessed.” The statement was strong in its wording that Epsilon got breached, not Best Buy.

Such nuances don’t play. If a consumer gives Best Buy an E-mail address and that address gets stolen, it’s Best Buy’s fault even if Best Buy didn’t do anything wrong. No one ever said life was fair.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.