Why we don’t need to be concerned about the Epsilon security breachApr 5th, 2011 | By Christian Donner | Category: Consumer Protection, Ethics, Security
A data breach at a little-known entity that affected companies from J.P. Morgan ChaseJPM -0.02% & Co. to TiVo Inc. TIVO -2.79% is shining a light on the outsourcing of email marketing campaigns, a practice that has grown steadily over the past decade as consumers become less responsive to commercial pitches.
In case you have not heard or read about this, take a look at this WSJ article before you continue. If the article is not accessible, try this version in Google’s cache.
But why shouldn’t we be concerned?
The short answer: because this incident represents only a tiny sliver of the problem and so many other breaches will follow that it really makes not difference if you are concerned or not.
The long answer:
- the email marketing industry does not have to adhere to any meaningful legal framework or standard
- there is no meaningful oversight
- the people have been brainwashed into believing that the quest for higher corporate profits justifies everything (yes, everything)
I have received two warning emails so far, the first one from Chase (they hold the mortgage on my home) and one from Verizon (they provide the Internet service that allows me to post this). Here is the one from Chase:
Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.
We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.
As a reminder, we recommend that you:
- Don’t give your Chase OnlineSM User ID or password in e-mail.
- Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
- Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
- Don’t reply to e-mails asking you to send personal information.
- Don’t use your e-mail address as a login ID or password.
The security of your information is a critical priority to us and we strive to handle it carefully at all times. Please visit our Security Center at chase.com and click on “Fraud Information” under the “How to Report Fraud.” It provides additional information on exercising caution when reading e-mails that appear to be sent by us.
Patricia O. Baker
Senior Vice President
Chase Executive Office
Instinctively I google’d the woman’s name, and not entirely unexpected there were lots of hits. Many were about blog posts from people like me vented about receiving this email and the BS that it contains. But Google also returned a link to the Better Business Bureau’s page for Chase Home Finance LLC.
Alas, the folks over at Chase are not faring so well at the BBB. On a scale from A+ to F, and you may want to sit down before you read this, Chase Home Finance LLC is rated F.
So, no surprises there when it comes to ignorance regarding customers’ rights for privacy, something that could potentially reduce corporate profits in the very short term (3 to 6 months must be considered long-term in this country, and nobody seems to be able to develop a vision beyond that).
Anyway, here is the email from Verizon:
Dear Verizon Customer,
We have been informed by Epsilon, a provider of Verizon’s email marketing services, that your email address was exposed due to unauthorized access to its systems. Verizon uses Epsilon to send marketing communications on our behalf.
Epsilon has assured us that the information exposed was limited to email addresses, and that no other information about you or your account was exposed.
We regret any inconvenience this may cause you. Please be assured that we take the privacy of your information very seriously.
Chase had at least the decency to sacrifice one of their managers by putting her name under the email. Not so Verizon. They are hiding behind this fictional “Verizon” person. I do not know why Verizon has a B+ rating with the BBB. It seems that on a scale from A+ through F they deserve at least a G.
I have gone through dozens of “How we value your privacy” and “We do share your data except for …” types of letters, asking me to become active, make a phone call, go online, and somehow reiterate with these companies that I don’t want them to do X or Y with my data (while they reserve the right to do Z with it anyways, which makes X and Y pale in comparison). And it was always crystal clear that the privacy right fig leaf that has been put in front of an incredibly greedy and corrupt industry of data brokers is just that – a fig leaf. When the shit hits the fan, we are no better positioned to defend our privacy than the monkeys at your local zoo. It’s about time that this changes. But can it?