With the ‘advent' of ‘cloud' computing, which in real language means outsourcing using a common, shared contract, many companies are putting their data and absolute faith in the hands of third parties, perhaps without performing the exact same level of due diligence as they might should they ‘insource'. Or Ground Computing as I've decided to call it.
In the news last week, Epsilon, an online marketing division of Alliance Data Systems Corp., were implicated in a huge data breach, where a vast number of email addresses may have been compromised following a hacking attempt.
With some of the world's largest financial corporations as it's customers (Citi, Barclays, Chase, Capitol One) the data losses could potentially be huge. Epsilon are purportedly the world's largest provider of permission-based email marketing. Ouch.
As is typically the case, the extent of data loss I would guess is unknown – be this one email address or a billion. Only time will tell as these addresses are subject to spear phishing attacks, which unfortunately are notoriously difficult to trace.
If the world's largest email marketing company is unable to protect itself from the theft of sensitive, fee-earning data, then what chance do smaller companies stand?
Or is “the email address” just not considered information that's worth protecting? It's certainly personal data by definition under the Data Protection Act, but not “sensitive”.
I can only speculate, but perhaps the perceived value of email addresses did not hit Epsilon's risk register this year as they're simply not worth enough.
The repercussions? A slap on the wrist? Naughty naughty Epsilon, please don't do it again, but hey, you're great value for money so I'll just use you again anyway…