The recent data loss event at Epsilon, a third-party email marketing and service provider, may have dealt a severe blow to the blossoming cloud-based managed services industry and the trend toward outsourcing.
Epsilon, which contracts with some of largest retail and financial companies in the nation, reported that their systems experienced an unauthorized access event that has exposed the names and email addresses of the customers the company's clients serve.
While the total number of records stolen has not been determined, the list of companies whose client data has been exposed has now grown to more than fifty, putting the Epsilon breach in the running as being one of the largest data breaches on record.
Epsilon sends as many as forty-billion marketing and advertising emails yearly on behalf of more than 2,500 companies. Initial reports indicate that only client names and email addresses where exposed, and that no financial data was revealed in the breach.
The risk of massive data exposure is compounded where multi-tenant cloud-based platforms are concerned, and the Epsilon breach has reignited debate regarding the issue of "trust" where security is concerned.
“Any company that is privileged to manage the information that a company maintains about its customers should be paying attention... Customers will surely start to wonder if they can’t trust these firms with their email addresses. [They ask themselves if it’s] really that smart to trust them with their credit card data, or with their mortgage,” said Dave Frankland, a principal analyst with Forrester Research.
Maintaining adequate security on a large multi-user cloud platform is a technically complicated task. Al DiGuido, the former CEO of Epsilon, speculates that hackers must have compromised the partitions that separate different clients on the system.
The attackers may have assumed an elevated authorization status on the system by finding a vulnerability in the application layer access codes.
“It’s unclear as to how this could have been accomplished without having access to numerous client-specific access codes,” said DiGuido.
It is impossible to determine what the long-term effects the Epsilon breach will be, but the customers of Epsilon's clients will certainly question the security of their private information when entrusted to companies who outsource the handling of that data.
Epsilon's smaller clients would most likely be impacted the hardest if there were significant consumer backlash to the event, while the larger clients would be better prepared to absorb the hit.
And Epsilon itself is now faced with a public relations and marketing quagmire that could last for years to come, in addition to any subsequent legal liabilities from damages sustained by their client base.