How To Avoid an Epsilon Hack (Sailthru Recommendations)
April 4, 2011
After speaking with quite a few people, and being somewhat experienced in the security of websites, I thought I should throw in on the recent Epsilon hack. Usually a hack of this size is caused by a human, as yes unfortunately, you are the weakest link. The reason is simple: phishing emails are sent to individuals that if the user clicks, may end up installing a kind of key logger on their machine. Once that user logs in to their Epsilon account the hacker now has a valid username and password to dive into all the PII (Personal Identifiable Information) stored that the user would have access to. So on top of the OTA’s top ten I’d add the following recommendations:
|1.||Evaluate who has access to PII within your organisation (and your vendor’s)
-Does Jane Doe need access to the actual email list of your entire 3MM list?
-Does your account handler at xyz vendor need to see actual PII?
|2.||Do not use file transfer – use real time API’s over SSL
-Don’t use manual methods for transferring data to vendors
–Don’t use FTP for PII data transfer (or anything for that matter!)
|3.||Don’t store unencrypted passwords anywhere
-Not with your vendor and not in your own systems
-Reset password Vs Forgotten password
|4.||Limit number of actions by user and IP
-Look for odd behavior, e.g. users unusually downloading all of their data
|5.||Don’t include username and passwords in the same message|
|6.||Rotate passwords (however annoying it is)|
|7.||Frequently validate who has access to your PII (employees, and vendors)|
|8.||Create a PII data map, who has access, who is storing, what is being stored (and by which vendors)|
|9.||Make sure employees aren’t saving PII in external files|
|10.||Make sure you don’t have an open wifi on your network, and look for foreign clients on the network|
As CEO of Sailthru, a service provider storing PII, we take the Epsilon leak as a serious hit to the industry in general. I hope that the above will help both our clients, other esp’s and any company that stores pertinent information about individuals. It’s our responsibility to look after the data entrusted to us by the consumer and our customers.
2023 U.S. Consumer Trends Index Infographic
Data & AI
Thanksgiving Week Shows Retailers Collecting Zero-Party Data While Loyalty Programs Continue To Provide Solid Revenue Streams
The 2022 holiday shopping season has begun and forward-thinking brands are seizing the opportunity to collect zero-party data via interactive experiences in the busiest...
The 2023 Consumer Trends Index: What it Means for Media Marketers
From streaming subscription services to gaming and podcasts, consumers have an endless choice of options and platforms for consuming content. And similar to other...