In addition to its customers, Epsilon also contacted law enforcement, and is working with federal authorities to investigate the breach. In terms of information disclosure, companies should follow the lead that is imposed by law enforcement, said Josh Shaul, CTO of Application Security. In addition, companies should contact an attorney familiar with breach notification laws and follow their advice as well.
“The attorney will help your organization determine what to disclose, while law enforcement will determine when this disclosure is allowed,” he said. “There is a balance between informing and protecting your customers and the viability of your business.” Senator Richard Blumenthal (D-CT) called on Epsilon Monday to provide more details of the attack, and has said he plans to announce legislation in the coming weeks to protect consumers from phishers.
“Epsilon owes it to these consumers to provide them with tools to ensure the safety of identification and financial information, and also to take serious steps towards preventing these types of breaches in the future,” he said in a statement.
According to Alliance Data Systems, Epsilon’s parent company, the security protocols within Epsilon controlling access to the system have undergone a rigorous review, and access has been further restricted as the ongoing investigation continues.
The challenge with breaches like the one that impacted Epsilon is that it did not involve payment card information, therefore there are no rules such as the Payment Card Industry Data Security Standard (PCI DSS) to really enforce this type of data protection, said Avivah Litan, an analyst with Gartner.
That is not the case with the latest breach reported in Texas. According to the office of the Texas Comptroller of Public Accounts, personal information from 3.5 million Texans was exposed due to a server being publicly accessible over the net. The data, which was unencrypted, included social security numbers, names, mailing addresses and other information. In a statement, the Comptroller’s office explained the information was in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS).
“The data files transferred by those agencies were not encrypted as required by Texas administrative rules established for agencies,” the comptroller office said in a statement. “In addition to that, personnel in the Comptroller’s office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures. The mistake was discovered the afternoon of March 31, at which time the agency began to seal off public access to the files.” The agency has contacted law enforcement, and plans to begin sending letters to victims April 13.
“I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location,” said Texas Comptroller Susan Combs, in a statement. “We take information security very seriously and this type of exposure will not happen again.”
The PCI Data Security Standard, Litan said, provides good guidelines as to how to protect sensitive data. For example, steps that should be taken include network segmentation so that sensitive data is walled off, data obfuscation or encryption for sensitive data, strong access controls for privileged accounts that have access to the sensitive data, monitoring activity around sensitive data access and making sure access is blocked on suspect transactions.
“I think that standard can be used to set some ground rules as to what is essential when it comes to protecting sensitive information,” she said.