How To Avoid an Epsilon Hack (Sailthru Recommendations)
April 4, 2011
After speaking with quite a few people, and being somewhat experienced in the security of websites, I thought I should throw in on the recent Epsilon hack. Usually a hack of this size is caused by a human, as yes unfortunately, you are the weakest link. The reason is simple: phishing emails are sent to individuals that if the user clicks, may end up installing a kind of key logger on their machine. Once that user logs in to their Epsilon account the hacker now has a valid username and password to dive into all the PII (Personal Identifiable Information) stored that the user would have access to. So on top of the OTA’s top ten I’d add the following recommendations:
|1.||Evaluate who has access to PII within your organisation (and your vendor’s)|
-Does Jane Doe need access to the actual email list of your entire 3MM list?
-Does your account handler at xyz vendor need to see actual PII?
|2.||Do not use file transfer – use real time API’s over SSL|
-Don’t use manual methods for transferring data to vendors
–Don’t use FTP for PII data transfer (or anything for that matter!)
|3.||Don’t store unencrypted passwords anywhere|
-Not with your vendor and not in your own systems
-Reset password Vs Forgotten password
|4.||Limit number of actions by user and IP|
-Look for odd behavior, e.g. users unusually downloading all of their data
|5.||Don’t include username and passwords in the same message|
|6.||Rotate passwords (however annoying it is)|
|7.||Frequently validate who has access to your PII (employees, and vendors)|
|8.||Create a PII data map, who has access, who is storing, what is being stored (and by which vendors)|
|9.||Make sure employees aren’t saving PII in external files|
|10.||Make sure you don’t have an open wifi on your network, and look for foreign clients on the network|
As CEO of Sailthru, a service provider storing PII, we take the Epsilon leak as a serious hit to the industry in general. I hope that the above will help both our clients, other esp’s and any company that stores pertinent information about individuals. It’s our responsibility to look after the data entrusted to us by the consumer and our customers.
Publishing in a Cookieless World: How First-Party Data Is Transforming Media Companies
Third-party cookies have made it easy for media companies to reach subscribers. But by 2022, Google will say goodbye to them forever. Find out why you need first-party data moving forward.
Personalization vs. Segmentation: The Real Difference and Why it Matters
Personalization is many things to many marketers. For some, it’s a business strategy that increases customer lifetime value and paves the way for profitable,...
What Makes Sephora Such an Outstanding Omnichannel Retailer?
The next time someone questions the amount of time and money you’re spending on personalization to unify the customer experience, tell them about Sephora—the...