Less than a year off of a massive data security breach, Epsilon Data Management LLC has hired new security and IT leadership with the hopes of addressing its security lapses and boosting its tarnished image.
My first steps are to revise the security risk management practices, expand the information security team and assess and monitor for opportunities to improve security at Epsilon.
Chris Ray, Epsilon CISO
Epsilon CISO Chris Ray, who took over the role in November, said he is assessing the firm’s security systems and getting a better understanding of its business before making any drastic changes to bolster security. Ray said he plans to add talented security pros to his team.
“My first steps are to revise the security risk management practices, expand the information security team and assess and monitor for opportunities to improve security at Epsilon,” Ray said. “It will be critical that the team works closely with the key business stakeholders and ensure the right balance is set to meet all needs while introducing new policies and technologies.”
Irving, Texas-based Epsilon suffered a breach of its systems in March, resulting in the leakage of millions of emails. The firm, which handles the messaging for more than 2,000 major banks, retailers and other companies including Best Buy, LL Bean and Walgreens, said an attacker gained access to its email system, stealing names and email addresses. While the breach didn’t include more sensitive data, such as credit cards and account credentials, security experts said the breach was significant because the stolen email addresses could be used in spam and phishing campaigns.
Ray, who served for over 6 years as the vice president of information security and software change management at Aflac Corp., said Epsilon’s security processes and controls need to be balanced around the company’s business applications without hindering its clients’ ability to do business with the company. At Aflac, Ray managed vulnerability management, incident response and regulatory compliance.
“Epsilon’s [threat] landscape is similar to that of many other companies,” Ray told SearchSecurity.com in an interview via email. “We have a digital presence, thousands of customers and large amounts of data which require diligence and maintaining the utmost level of security.”
The Epsilon breach is one in a string of high-profile data breaches that included email addresses and in some cases exposed passwords. The problem is hardly new. Monster.com suffered a breach in 2007 and again in 2009 where millions of user IDs, passwords, email addresses, names and phone numbers were exposed. Scammers used the data to target both job seekers and recruiters using Monster.com email addresses.
More recently, Care2, a popular social network, was forced to warn its 15 million members that their email addresses were exposed. The latest massive breach was at Amazon-owned online shoe retailer Zappos Inc., which affected 24 million customers. In addition to disrupting customers by resetting their passwords and warning them of the potential for spam and phishing attacks, the damage posed by breaches of this nature can tarnish the company’s brand, experts say. In an interview last month with SearchNetworking.com, Zappos CSO Saffet Ozdemir, said the firm was slowly migrating to a virtual private cloud, using it first for development and backup before moving critical data onto virtual servers. The most critical part of Zappos strategy was to maintain segregation of critical systems, Ozdemir said.
Graham Cluley, a senior technology consultant at U.K.-based security vendor Sophos, said the problems stem from companies failing to encrypt email addresses, account credentials and other customer data. E-commerce sites especially have to be aware of common website vulnerabilities such as SQL injection and cross-site scripting, which gives attackers a way in to Internet-facing systems, Cluley said.
“In Epsilon’s case, their only job was to manage the email marketing for some very well-known companies who thought a third party would help them do it properly,” Cluley said. “In this case the experts failed and as a result we may see some companies bring this kind of data management in-house to manage their own mailing lists.”
Organizations that have suffered high-profile data breaches often wake up and put in place strong leadership, Cluley said. For one reason or another, the executive staff at breached firms likely didn’t recognize the need to invest more heavily into securing their systems, he said. Giving IT a voice at the table helps communicate the seriousness of security threats. Epsilon is adding that voice. In addition to Ray, Epsilon announced last week that it hired Keith Morrow as executive vice president and CIO. Morrow will oversee a staff of more than 200 IT pros. Morrow, who founded his own IT consultancy, served previously as CIO at Blockbuster Inc. and 7-Eleven Inc.
Epsilon’s Ray said a new CISO must learn the business and then pick a well-known standards framework to model the security program on. Frameworks such as ITIL, ISO and COBIT serve as a good starting point, he said.
“Begin looking at gaps you may have in comparison with that framework and then delve even deeper into understanding the business before you start trying to address those gaps,” Ray said.