Epsilon’s Cross-Connected Names Nightmare
Written by Evan SchumanThe thus-far unidentified Epsilon cyberthieves may have a surprise in their systems: It may be a cross-connected database with the most sophisticated and comprehensive CRM profiles ever, profiles that a retail chain would kill for.
Most observers have looked at the stolen data as little more than a huge list of E-mail addresses. But this breach may be the quintessential example of the whole being far more than the sum of its parts. StorefrontBacktalk Legal Columnist Mark Rasch had an interesting observation: Combining the list of customer E-mails from Amazon, Best Buy, New York & Co, LL Bean, Target and Kroger (and quite a few more chains and banks and hotels) is nice, but what if you could cross-connect those files? How detailed a profile could you piece together on individual consumers?
Contractual obligations would have almost certainly prohibited Epsilon from trying such an effort, unless you think that Best Buy would have had no objection to letting Amazon and Target know which customers they share. But the thieves, however, have no such obligation—not that they would likely care about legal niceties such as contracts and criminal laws. Is it likely that they have figured out that cross-connecting their stolen goodies could create data that tons of naughty people would pay a lot more for, when compared with major-league spammers, who are notorious bargain-hunters?
Another consideration: Is the information indeed limited to E-mail addresses? It quite likely could include when that E-mail address was obtained. But how is that useful? When combined with other databases, it could be quite useful. Let’s say that Best Buy, on a particular date, changed its online shipping policy and started charging a lot more. How valuable would it be to Best Buy to learn how many of its customers suddenly signed up with Amazon within four days of that policy change?
Many organizations looking at the Epsilon breach have focused solely on the increased SPAM and identity-theft phishing efforts that could come from such a large theft of valid E-mail addresses. But without factoring in the cross-comparisons possibilities, the true value of that data is seen as an order of magnitude smaller than it should be.
Who would pay the big bucks for such data? Would unscrupulous retail execs? Maybe. But marketers would be more likely, along with consultants, distributors, manufacturers and investors.
This theft raises new implications for permission-based marketing. If consumer Jane Doe gives permission to The Acme Retail Company to store her E-mail so she can see discounts and shipment notices, does that mean Acme Retail has permission to send her E-mail address to a third-party E-mail service, such as Epsilon or ConstantContact?
It gets better. Let’s assume the answer is “yes.” If it’s permissible for Epsilon to house all of the customer E-mail addresses from 2,500 different businesses, there doesn’t seem to be anything that would prevent it from cross-comparing. Then is Epsilon clear to share the conclusions from those cross-comparisons in aggregate with anyone—for a price? Given that it has permission to use the names, why limit it to using the addresses in aggregate? Why not sell information back to any of its customers?
For example: “Hello, Mr. Best Buy. Thanks for sending us your 5 million customer E-mail addresses. For an extra $100 per customer, we’ll tell you on what other retail and bank lists we found each name.” Illegal, you say? Perhaps. But what if that offer is instead made to other cyberthieves? Suppliers? Heck, if those lists exist, why couldn’t they be subpoenaed by state or federal law enforcement or tax enforcement agents?
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
