Epsilon’s Cross-Connected Names Nightmare

Written by Evan Schuman
April 13th, 2011

The thus-far unidentified Epsilon cyberthieves may have a surprise in their systems: It may be a cross-connected database with the most sophisticated and comprehensive CRM profiles ever, profiles that a retail chain would kill for.

Most observers have looked at the stolen data as little more than a huge list of E-mail addresses. But this breach may be the quintessential example of the whole being far more than the sum of its parts. StorefrontBacktalk Legal Columnist Mark Rasch had an interesting observation: Combining the list of customer E-mails from Amazon, Best Buy, New York & Co, LL Bean, Target and Kroger (and quite a few more chains and banks and hotels) is nice, but what if you could cross-connect those files? How detailed a profile could you piece together on individual consumers?

Contractual obligations would have almost certainly prohibited Epsilon from trying such an effort, unless you think that Best Buy would have had no objection to letting Amazon and Target know which customers they share. But the thieves, however, have no such obligation—not that they would likely care about legal niceties such as contracts and criminal laws. Is it likely that they have figured out that cross-connecting their stolen goodies could create data that tons of naughty people would pay a lot more for, when compared with major-league spammers, who are notorious bargain-hunters?

Another consideration: Is the information indeed limited to E-mail addresses? It quite likely could include when that E-mail address was obtained. But how is that useful? When combined with other databases, it could be quite useful. Let’s say that Best Buy, on a particular date, changed its online shipping policy and started charging a lot more. How valuable would it be to Best Buy to learn how many of its customers suddenly signed up with Amazon within four days of that policy change?

Many organizations looking at the Epsilon breach have focused solely on the increased SPAM and identity-theft phishing efforts that could come from such a large theft of valid E-mail addresses. But without factoring in the cross-comparisons possibilities, the true value of that data is seen as an order of magnitude smaller than it should be.

Who would pay the big bucks for such data? Would unscrupulous retail execs? Maybe. But marketers would be more likely, along with consultants, distributors, manufacturers and investors.

This theft raises new implications for permission-based marketing. If consumer Jane Doe gives permission to The Acme Retail Company to store her E-mail so she can see discounts and shipment notices, does that mean Acme Retail has permission to send her E-mail address to a third-party E-mail service, such as Epsilon or ConstantContact?

It gets better. Let’s assume the answer is “yes.” If it’s permissible for Epsilon to house all of the customer E-mail addresses from 2,500 different businesses, there doesn’t seem to be anything that would prevent it from cross-comparing. Then is Epsilon clear to share the conclusions from those cross-comparisons in aggregate with anyone—for a price? Given that it has permission to use the names, why limit it to using the addresses in aggregate? Why not sell information back to any of its customers?

For example: “Hello, Mr. Best Buy. Thanks for sending us your 5 million customer E-mail addresses. For an extra $100 per customer, we’ll tell you on what other retail and bank lists we found each name.” Illegal, you say? Perhaps. But what if that offer is instead made to other cyberthieves? Suppliers? Heck, if those lists exist, why couldn’t they be subpoenaed by state or federal law enforcement or tax enforcement agents?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.