How to Prevent an Email Security Breach

Apr 05, 2011 1:36 AM  By

The press release issued Friday by Epsilon was certainly not an April Fool’s joke.

The marketing database company experienced a security breach of its email system, which Epsilon says was limited to just names and email addresses.

It’s hardly the public relations Epsilon – or any company – really wants, but the story is all over the news. As more merchants and banks tell their customers that their personal information may have been compromised, the more it snowballed in the media.

And as a result of the breach, consumers are flooding Twitter to say they’re receiving a lot more spam than usual, thanks to phishers who may have got a hold of these names and email addresses.

So what did we learn from the security breach? That is can happen to any company – even one that is as established and well respected as Epsilon, says Austin Bliss, president of e-mail marketing services firm FreshAddress.

On top of carefully choosing a database vendor, Bliss says merchants need to take two different paths to ensure security. First, they need to educate their employees about keeping their own computers safe. Then they need to know how to react in the event their databases are breached.

“Your data is only as secure as your weakest link,” Bliss says. “We see plenty of our clients going for low-price when they’re choosing a provider, but what kind of shortcuts do they take with their own security systems that could make your customer data vulnerable?”

Here’s some advice from Bliss on how to keep your databases secure:

  • Only send data through a secure FTP server. Bliss says there have been too many incidents of his clients emailing customer information to his company because the client did not want to use the secure server.
  • Never send account numbers, social security numbers or any other personal information. Only send over the information that the database marketer absolutely needs to contact your customers. In the case of the Epsilon breach, the vendor says only names and email addresses have been compromised. But there hasn’t been any word yet if any of their clients had additional fields included in their databases.
  • Find out what the vendor does with your data after it is done with it. Is it destroying the information when it is no longer needed, or is the company storing it for “safe keeping?”
  • Make sure your employees’ computers are safe. Anyone could open what they think is a bill from a trusted provider, only to find out they were directed to a phishing site.

    For that matter, they could open a bit.ly URL in a tweet with the hashtag Epsilon and be led to an illicit website. If your employees are skipping routine maintenance because they say they don’t have time, tell them to make time.

Bliss says marketers and merchants also need a game plan in place. Some merchants and marketers were just getting the word out to its customers today (April 4) about the possible breach that took place on March 30. Even Epsilon didn’t send a release out until two days after the breach.

Bliss says it appears many of Epsilon’s clients just didn’t know what to do in case of emergency. Both Epsilon and its clients should have alerted their customers immediately, Bliss says.

“Remember that even with the best security possible, things might go wrong,” Bliss says. “You need to have a contingency plan in place.”