Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:33 PM
Connect Directly

Epsilon Data Breach Emphasizes Need to Proactively Create Security Awareness

Though it's not clear whether an attack is on the horizon, both bank and customer awareness can mitigate risk.

The Epsilon data breach that saw names and email addresses of millions of Americans become exposed by unauthorized access to the company's system might or might not present a threat financial institutions such as Citigroup, Capital One and JPMorgan Chase, who are clients of the online marketer.

In the near term, if that information is out there and available, it could mean more spam emails and phishing attempts.

"In reality that’s all it is," says Paul Schaus, president of CCG Catalyst consulting group. "So from a bank’s perspective you’re worried about customers getting spam emails or getting phishing emails. Those are the two big issues. It’s not a confidentiality issue."

But if those email addresses and names get out there in lists that can let fraudsters make a correlation between an individual and the place they bank, then it could lead to some well-aimed phishing attacks.

"That’s the big concern," Schaus says. "That’s the area of risk."

However, it takes some work to get there. As Schaus explains, it's two parts: first the customer has to be unaware of the breach and secondly the email has to look so authentic they don't think about it.

"I think from a business perspective, those who are in charge to protect accounts clearly have to do a more vigilant job because they can expect a wave of attack," says Ori Eisen, CEO and founder of fraud prevention and detection provider The 41st Parameter.

Eisen believes that if a bank is doing due diligence to protect from fraud, it'll minimize risk.

"People say the sky is falling," Eisen adds. "However if you do the monitoring day in and day out, regardless of the breach, you should have your risks managed."

Eisen added the Epsilon breach, if it is only names and email addresses, isn't as bad as some of the other recent events, such as the RSA security breach in mid-March. But names and emails correlated with a financial institution could have other, less-direct effects.

"You can do some other things with it as well," he says. "If I know your email, I know a couple of things. In this case I know your name and email and I know you are a customer at a particular bank. I can also try to break into your email."

Shaus qualifies that, with the amount of information readily available, the Epsilon breach -- if it's only names and email addresses that were accessed -- doesn't add much new to the online security scene.

"You’ve got to put this all in perspective," Shaus says. "How many people put their email addresses out there in blogs, or in comments or emails or reviews on Amazon?"

There's a lot of data already on the web.

Eisen warns that the Epsilon breach should, if nothing else, emphasize the importance of proactive account takeover detection.

"You don’t know when an attack will happen," he says. "It could be today, it could be a month from now."

In its email following the breach, Chase made several recommendations to its customers, including:

  • Don't give your Chase Online user ID or password in email
  • Don't respond to emails that require you to enter personal information directly into the email
  • Don't respond to emails threatening to close your account if you do not take the immediate action of providing personal information
  • Don't reply to emails asking you to send personal information
  • Don't use your email address as a login ID or password
  • There's no harm in reminding customers about safe practices online.

    "I see a direct correlation between the frequency of security awareness training and the success rate of these email attacks," says Brendan McGowan, director of Consulting Services for Safe Systems. "The most effective countermeasure to phishing emails is user awareness."

    Register for Bank Systems & Technology Newsletters
    Bank Systems & Technology Radio
    Archived Audio Interviews
    Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.