Actu
Ulf Mattsson, CTO, Protegrity: Epsilon and the Value of Personally Identifiable Information
May 2011 by Ulf Mattsson, CTO, Protegrity Corporation
The media has been abuzz about the most recent security breach at Epsilon, the world’s largest “permissions-based” email marketing company that provides third party data hosting services. These breaches are nothing new, but I have noticed a rising number of them that target personally identifiable information (PII), as we recently saw with McDonald’s and Walgreens.
From a data security perspective, this is fascinating as hackers have traditionally targeted financial information.
Not much has been written about how to protect PII, but here’s my opinion:
1. PII is just as valuable as financial information – Data breaches are no laughing matter with a recent Ponemon study indicating that on average, organizational data breaches cost $7.2 million, and PII such as date of birth, email addresses and passwords have become a primary target of malicious attacks. Hackers can use this information for various scams like phishing to prod for more valuable information such as credit card and bank account numbers. A good rule of thumb would be to protect PII as you would financial information. This would ensure that you have the best security measures in place to mitigate the next breach.
2. Malicious attacks require modern solutions – We still don’t know what type of data security solution Epsilon used when its servers were breached on Friday. What we do know is that the company wasn’t using encryption. Organizations need to be actively monitoring emerging data security technologies because solutions like masking and hashing are no longer sufficient. PII should be protected by modern encryption or tokenization. These technologies provide heighten solutions that will be able to fend the next malicious attack.
3. Know where your data is going – Over the past few months, I’ve been stressing the importance of understanding your data flow. Outsource your database hosting duties, does not mean that you outsource liability. At a minimum, you must know what type of security solution your third party firm is using during data transit and at rest, and when and how frequently that firm is audited. Knowing this information will help you determine if your third party firm is implementing the necessary protection measures.
4.Think twice before signing up for another coupon site – This is more from a consumer perspective. People need to keep better track of what type of information they’re giving out. Resist signing up for that new coupon site until you know more information about that company. That information could be hacked in the company’s database and used in an elaborate scam. You need to be more careful when giving out PII.
