Skip to content

Caveat Emptor: The Outsourcing Motto

April 4, 2011

Epsilon, a major marketing strategy firm that counts Capital One, Citibank, Barclays, and other major consumer financial outlets among its customers, experienced a significant data breach of potentially millions of consumer names and e-mail addresses.  Understandably, Epsilon is attempting to spin this as a limited data breach, with the scope of exfiltration limited to customer e-mail addresses and names “only”.  Unfortunately, as we see every day, targeted spear phishing attacks are increasing both in frequency and in quality; the days of obviously forged emails with poor English grammar are rapidly moving behind us as phishing emails become harder to discern from the real thing, and methods beyond email — such as social engineering and evil twinning – continue to ramp up.

Of course, it would have been a lot better for everyone involved — consumers, Epsilon’s customers, and Epsilon themselves – if this issue had never occurred in the first place.  While we don’t yet know the details of the attack vector, you can bet that having broad, real-time visibility across network activity, user activity, and application activity — the foundation of situational awareness – may well have given Epsilon the information to detect and remediate this issue before it turned into a PR nightmare.

Issues like the Epsilon breach should cause organizations that oursource services — and particularly services that provide outsourced vendors with access to critical data, such as customer information – to take pause.  Outsourcing organizations need to ask hard, critical questions of their providers:

  • What are you doing to protect our customers’ data, and our intellectual property?
  • What standards and best practices are you implementing for information security?
  • How are you continuously monitoring security controls, infrastructure, and data to ensure that we don’t wind up in a headline?

Without asking these vital questions, and receiving cogent and complete responses, organizations are playing a game of roulette with their — and their customers’ – data.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: