The email marketing service industry continues to be assaulted by hackers intent on breaching databases in search of sensitive information. Last month, major email service provider Epsilon, whose servers house millions of contact names on behalf of clients, suffered an unauthorized entry into its email system.
The attack followed one in November and December that compromised several smaller ESPs, including AWeber Communications, Return Path and Silverpop.
What's clear from the most recent attack on Epsilon—the largest permission-based email service provider—is that hackers are not relenting, nor has database security improved much in four months.
“The reality is, there is no silver bullet,” said Craig Spiezle, executive director and president of the Online Trust Alliance, a group that develops best practices for controlling data governance and online security threats, of a single solution to the problem. (Epsilon is one of OTA's members.)
“You need to look at "hardening' everything you can,” Spiezle said. “Just like at home, don't leave the doors unlocked and the alarm system off.”
Phishing attacks try to acquire sensitive information—such as user names, passwords and credit card details—by masquerading as a trustworthy entity in an email or an instant message. Once a recipient clicks on a phishing message, perhaps responding with sensitive information like a password, the sender may have enough data to enter a database and download its contents.
Stolen emails and passwords can then be sold to other spammers, eager to send out their own sales solicitations or malware under the guise of trusted email brands.
Epsilon said the information that was compromised was “limited to email addresses and/or customer names only,” and “no other personally identifiable information associated with those names was at risk.” Nevertheless, Epsilon's affected client list was a long and impressive one—among the compromised databases were those of Capital One, JPMorgan Chase, McKinsey Quarterly and Walgreens.DANGER "ACROSS THE BOARD'
Following the Epsilon breach, the OTA announced a new “security by design” organizational framework and guidelines to help address the ongoing attempts of cybercriminals. The guidelines recommend creating company security teams headed by chief security officers; identifying points of vulnerability in how data are handled; developing security reviews and ongoing audits; and implementing incident response plans.
The danger is “across the board,” Spiezle said.
“The industry needs to step up their game and invest in this area,” he said. “On the one hand, there is the prospect of federal regulation that would force greater security. But also there is the issue of consumer trust in emails and ads. The worst thing for the interactive industry is to have a trust meltdown. We have to get ahead of the curve.”
Also following the incident at Epsilon, the Direct Marketing Association followed up with a letter to its members from Senny Boone, the group's senior VP-corporate and social responsibility, urging vigilance.
“When a data breach occurs, it is a very serious matter for the direct marketing community,” Boone wrote. “Data security is ... critically important in building consumer trust in the marketing process.”
Observers say it's essential to find ways to eliminate the personal lapses of key employees with access authorization, who may unwittingly divulge database keys.
“The Epsilon attack was a wake-up call for all of us,” said Adam Blitzer, COO of marketing automation company Pardot, which offers email marketing as part of its lead nurturing and analytics platform. “For example, we recognized that certain people in our company had power-user access to our customers' databases but they didn't really need it.”
Pardot's databases were not affected by the latest hacks, but as a security measure Blitzer is now limiting high-level database access to a few employees. The company has also called for a new level of rigor, similar to that employed by financial institutions, for customers to be able to send an email blast through its platform.
“You really have to force it on your clients,” Blitzer said. “Also, marketers have to ask serious questions of their marketing automation vendors, questions that almost no one does.”
Return Path, which experienced database intrusions late last year, recently introduced its Domain Assurance service to help mitigate similar damage. It allows senders to validate email authentication results across campaigns sent from their domains, including transactional, marketing and corporate messaging.
Return Path's own certification processes are also used by other email service providers.
“We've detected phishing attacks against e-commerce, travel and social networking, in addition to the expected targets in financial services,” said George Bilbrey, president of Return Path. “Basically, any brand that is a household name has become a target for phishing.”
The Domain Assurance service is designed to block phishing emails before they are delivered to a customer's mailbox. Still, the weakest link in a database security program may well remain the individual employee who heedlessly allows a phishing scheme to succeed by clicking on a malicious message.
“Our servers are probed by hackers every single day,” said Pardot's Blitzer. “They probe, you monitor and the firewall blocks. Those are the easy things to do.
“Educating people—the social engineering part—is much tougher,” he said.
