Epsilon Breach: If the Blast Didn’t Get You, the Fallout Will

Maybe I’m just becoming jaded about the fact that we are losing the security battle to the criminal element, but I have to admit that the recently reported data breach at third-party marketer Epsilon did not at all come as a surprise.

As reported online in PC Magazine, the breach has exposed the e-mail addresses and names of customers at major credit-card issuers, Best Buy, TiVo, and more—“potentially leaving users open to phishing attacks.” An unauthorized entry into Epsilon's e-mail system occurred on March 30, the company said in a statement.

The good news for our industry is that no insurers were named on the list of compromised parties. (Editor’s note: Epsilon would not confirm this when contacted by INN—click here for more coverage.) The bad news is that a slew of banks and financial services firms are involved, and it would be foolish to believe that some of those problems won’t affect the insurance environment. Among such firms named were JPMorgan Chase, Citi, and Capital One. 

According to Epsilon, the exposed information was “limited” to e-mail addresses and/or customer names. That sounds pretty tame. Then again, Bankinfosecurity.com wonders whether or not this might be “the biggest breach ever.” In fact, the piracy of names and e-mail addresses is quite a serious matter because while that information by itself may be of limited use, it can be of tremendous help to criminals who can already mine lots of personal data on individuals from their social networking site profiles and postings—data that is disturbingly easy to find online.

Of course, phishing attacks are one danger, but this unintended loss of personal data also makes it more likely that identities will be stolen, bank accounts will be pilfered and credit fraud will see an increase. If yours is a firm involved with insurance against such events, you can also expect to see an uptick in claims.

To be sure, using the pilfered information to commit crimes will require some work on the part of criminals but it seems to me that the huge profits to be generated for such individuals/syndicates, as well as the extremely low probability of being caught, would be more than enough incentive. The question is: Are we willing to work as hard on protecting customer information and/or the systems that hold such data? Regrettably, as I mentioned in my last posting about insurer reluctance to spend on anti-fraud technology, I fear we will see even such a major event as Epsilon as a routine cost of doing business. 

So we will yawn and write off the losses. Yet for our customers, and indeed for ourselves as private citizens, such losses may not be so easily written off. And don’t we have a duty to protect our valued customers from the inevitable premium increases that will occur as this kind of crime continues to spread like a deadly disease?

I have to commend Epsilon and many of the affected firms for quickly notifying authorities and their own customers about the danger of this security breach. In the past, others have not been nearly as willing to inform those who would be affected.

The blast from this event may not be so damaging at first, but the fallout has the potential to make that “biggest ever” characterization a reality. I have no doubt that this kind of breach will become increasingly common. It is my fervent hope, however, that we do not become increasingly unaffected by these criminal acts to the point where we plant our heads firmly in the ground and await the inevitable blow to our hindquarters.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.