A security and privacy breach

Today, I received three emails from three different companies telling me that that ‘an unauthorized person’ had gotten access to my email: Brookstone, McKinsey, and Abe Books. That their email vendor (they don’t all name who the vendor is, but it was easy to identify that it was Epsilon*, one of the most respected database marketers in the business. Check out the sentences below highlighted in red in each of the emails — there seems to be inconsistencies in what information was accessed:

From Abe Books:


Epsilon Informs AbeBooks of E-mail Database Breach

We have been informed by Epsilon, a third-party vendor we use to send e-mails, that anunauthorized person outside their company accessed files that included e-mail addresses of some AbeBooks customers. Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses.


As a reminder, AbeBooks will never ask customers for personal or account information in an e-mail. Please exercise caution if you get any emails that ask for personal information or direct you to a site where you are asked to provide personal information.

From McKinsey:

Important information from McKinsey Quarterly

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterlywill not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have any questions or concerns, please contact McKinsey Quarterly at info@mckinseyquarterly.com. For any media inquiries, please contact Humphrey Rolleston at +1-212-415-5321.

Sincerely,

Rik Kirkland
Senior Managing Editor
McKinsey & Company

From Brookstone

Dear Valued Brookstone Customer,

On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Brookstone Customer Care

Soooo, What’s lessons can be taken from these three companies’ emails

  1. None of them have offered me the opportunity to change my email address (I am sure I can do this on the site, but not everyone will remember they can do this)
  2. Give us a name (a person) to follow up with, if I want to talk to someone. It’s very impersonal to just sign an email about an important matter such as the one described above with “Brookstone Customer Care” department
  3. They all say that they will never share my information. Well, they did, so they have basically lied to me. There’s probably a better way to word this statement and make it closer to reality, such as “Our goal is never to share your information, and we know that we have not met our goal with this incident, and we apologize.” Come clean. Don’t lie to me. I like how Brookstone says “And we will continue to work diligently to protect your personal information.” This tells me they are taking partial responsibility for what happened.
  4. Tell me what happened and who is responsible. Not all of the above mention Epsilon.
  5. Remind us to be cautious if I receive any emails that ask us for private info — McKinsey and Brookstone do this.
  6. Remind users to change their email address and their passwords.
  7. Seed your email campaigns with addresses that will let you know if someone else is emailing you (a fake customer) besides someone you intended to do this. All traditional direct mail marketers do this, but my guess is only a handful of email marketers.
  8. Companies try and cover themselves with a disclaimer or a small footnote that a third party is managing their customers’ email addresses. Why not just tell users who is managing their email, especially if it is a company like Epsilon, which usually has a strong track record.
  9. Unless you are a new media hound like me, consumers do not know what other companies are being hacked. Why not work with some of the other companies and tell consumers the extent of the problem. Again give them the whole story — because seeing as we know which companies are impacted, there is a good chance that the hackers also know.  This could lead to very targeted attacks to garner more personal information form you, also known as phishing.
  10. Research the history of data breaches and privacy issues, so you can learn from others’ mistakes. Check out Privacy Rights Clearinghouse
  11. Explore other sign-in methods, such as the two step log in, which Google uses. It provides a better security method and requires you to have access to your mobile device at the same time you log – in. Corporate employees might be familiar with the RSA key code, which is somewhat similar and while it is an extra step, it probably is a good thing to have these days.

Basically you get a new code every time you need access to your email, and if this sounds cumbersome, then companies should offer users the option to change the frequency they receive it.

Other big companies were impacted, such as Citicorp, J.P Morgan, U.S Bancop, Brookstone, Barclays Capital One Financial Corp,  Marriott International Inc., Ritz-Carlton and TiVo Inc. Epsilon informed these companies that only the person’s name and email address were exposed, but how do we know that?

One blogger responed by asking why such big corporations would entrust this data to a third party. According to Accenture, 55% of major corporations do. Sometimes it is not just for database management. Sending out large number of emails is a challenging process, so it does make sense to outsource this to a company like Epsilon, which can handle sending out large volumes of email at one time, capture bounce backs, do list merging and purging, etc.

Now that this happened, it will be interesting to see how Epsilon or any of the Fortune 1000 companies involved will change their processes or policies related to customer data. I am sure (or at least I hope) they will have a post mortem discussion about this. But how come the customer never learns about what was decided at these meetings. Us customers don’t need to know everything, nor do we expect to hear about everything that went on behind closed corporate doors. But it would be nice to know that the company did do something different and better because of this.

Brookstone, McKinsey and Abebooks, please tell me what you are going to do that’s different!
The Wall Street Journal has a good article on what happened.

*Disclaimer: I used to work at American Express that owned Epislon in the 1990s.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s