Last week, I attended the 2011 Xplor International Conference & Vendor Forum, which hosted a number of educational sessions on transactional documents, such as bills and statements, and the infrastructure that enables output and delivery of these mission-critical applications. Not only do these types of documents need to reach 100% of recipients consistently every cycle; many contain sensitive information about each recipient like credit card transactions, investment performance, utility usage, and much more. Considering the applications that are discussed at Xplor, it was no surprise that the recent data breach by database and e-mail marketing firm Epsilon came up in the discussion mix a number of times throughout the conference.
You may have heard about the Epsilon breach through the news, or you may have received an e-mail from one of the major brands affected by the breach like the ones here (courtesy of TDN editor Elizabeth Gooding; click to enlarge):
Depending on peoples’ relationships with these brands, they may have received anywhere from one to six or more of these types of e-mails about the information breach. Those brands affected include some of the biggest in the world, including Citigroup, Chase, Ritz-Carlton, TiVo, and more. In terms of the information that was accessed by attackers, it was limited to names and e-mail addresses associated with those brands. Of course, that’s just enough information to be dangerous for the attackers and whatever intentions they have with use of that data. For the affected, be on the lookout for suspicious-looking e-mails well into the future trying to collect additional information to further their efforts in malicious activity. According to a recent report, Epsilon and its parent company, Alliance Data Systems, face over $100 million in costs and lost sales due to the breach.
Epsilon is not the only service provider that has faced data security troubles in recent years. In December 2010, another e-mail marketing provider, Silverpop Systems, faced a significant data breach and made away with similar details like names, e-mail addresses, and even birth dates from customers linked to brands such as McDonald’s. A few years back, attackers obtained credit card information for over 90 million accounts from retailer TJX Corporation due to weak security standards implemented at their TJ Maxx stores. That breach ended up costing the company over $160 million.
In case you haven’t figured it out by now, these types of customer data breaches have a series of negative consequences that go beyond having sensitive information get into the wrong hands:
- Consumers are more susceptible to disguised attacks that collect their information for further misdeeds.
- Brands themselves lose credibility with customers for the misuse of their data.
- Companies of all sizes lose faith and trust in using third-party service providers, including marketing service providers and cloud-based services.
- The federal government is prompted to take a much closer look at data security practices, as well data-driven marketing applications. Expect tighter regulations in the future.
As print service providers across the industry continue to offer more personalized marketing services, they are becoming responsible for their clients’ customer data to help execute those campaigns. Furthermore, to execute cross-media campaigns, many providers are leveraging hosted, third-party solutions that retain customer data. Now that customer data breaches are grabbing headlines again, service providers need to be prepared to answer questions about how data is used in applications, who has access to it, how and where it is stored, and what type of security is protecting that data.
Now would be as good a time as any to do a thorough audit of your company’s own data security practices. If you don’t have any security practices but are handling your clients’ customer data, that should raise many red flags. Even if you don’t deal with the world’s major brands, clients of all sizes from all markets expect their data to be protected when in the hands of a third party. In addition, talk with your vendors and partners about the types of data security that they offer (vendors and partners: you also better have a good answer to those asking questions).
Building trust with clients regarding the use of data is often be a long process, but can end up with great relationships, applications, and results when executed well. That trust can be destroyed in a nanosecond if data is not stored and managed securely, and can end up costing companies big time. In light of these recent breaches, take the time to audit your practices and reassure your clients that their information is being handled in a sound, secure way.