Social media and risk management compliance blog » 2011 » april

Archive for April, 2011

How many emails does it take to breach data?

11th April
written by luppens

How many emails does it take?

With the recent Epsilon breach of data, you should begin to question, how many emails does it take to get your personal information? ONE CLICK.  I have said it before and I will say it again, messaging can and will expose you to threats because DATA IS POWER AND POWER IS MONEY!

Does that mean you need to become a hermit and crawl under a rock?  Well some security experts may tell you to do just that, but bottom line is if you have something someone else wants and they can make more money off you than if they just worked hard themselves, then they will figure out a way to turn over your rock.

Me personally, I received at least 10 emails from various entities telling me that their databases with Epsilon were compromised.  Does this put me on heightened awareness, yes, similar to 911, it will do this for a time period, but I, just like every one of you, I will become relaxed over time.

I guess this blog is going to look at two perspectives, the companies and the individual.

Individuals need to be more than mindful about their emails and other means of electronic communication.  Always look for the “s” at the end of an HTTP when looking at a site where you are signing into with credentials that could be compromised and worth something out there on the black market such as a bank or credit card.  Just because you haven’t received an increase in spam all of the sudden doesn’t mean they aren’t planning on how to get your information out of you.  Right now the criminals realize that you are in a heightened state of awareness, they are not going to strike until things have calmed down.  When they do, I would expect it to be a slew of fishing, virus, and data mining attempts on your personal information.  Depending on what type of person you are, you may consider credit monitoring, identity theft coverage, or even putting a hold on all credit extensions using your social security number.  Make sure to get some up to date virus protection, while it will only protect you from the known viruses, it’s better than nothing.  If you get a suspicious or clearly phishing email, report it to email service, company or agency involved, and to federal government at [email protected] As for the attempts, it isn’t a matter of when, but how many you will receive.  It only takes one wrong click!

Companies, I bet this is putting your outsourcing risks in a whole new light when your outsourcer has access to customer data.  Although you may consider an email address to be a non-confidential piece of information, email is now one of our predominate means of communicating with our world around us.  If you were sent a certified letter in the mail with a return receipt, would you consider that person to have a serious intent with the communication they are sending, why such a difference with email?  With email, the risk is even greater, because a compromised email could lead the consumer to be misled, have their accounts compromised, or even have identity theft issues.  Consumers have an inherent trust when it comes to electronic communications; they will typically click on just about anything.  So what now, will you be held liable because you didn’t ensure that your external vendor had enough sense to keep your data reasonably safe?  What is reasonably safe?  Is a SAS70 sufficient?  It’s time to see all contacts with external vendors who will be handling consumer data with a right to audit how they keep and maintain your data.  At one time, this might have been the intent of the SAS70, but as most of us in the audit realm know, SAS70s barely scratch the surface.  You also need to further define your standards of data into tiers deeper than non-confidential and confidential.  For the company’s liability, this is an area that needs to be addressed now, not when the regulators tell you to do so or when the financial loss/risk is finally greater than the cost of implementation.


Leave a Reply

Your email address will not be published. Required fields are marked *