The End of Digital Innocence: What Does the Epsilon Breach Mean for You?

April 8, 2011— -- Spot Quiz: What does the word Epsilon mean to you? It is the fifth letter of the Greek alphabet. As I recall, in its lowercase form, epsilon stands for elasticity, among economists. There might even be a fictional spy named Epsilon.

I'll bet that up until a few days ago you didn't know that Epsilon was also the name of a company that has exposed millions of Americans (including you, most likely) to the increased risk of imposter fraud, a crime that made it to the Federal Trade Commission's top 10 complaints list this year for the first time. Epsilon is a unit of Alliance Data that collects consumer information from hundreds of corporate clients to manage their email marketing campaigns.

On April 1, Epsilon posted a terse announcement on its corporate website that set off a media frenzy and confirmed, yet again, the end of the Age of Digital Innocence:

IRVING, TEXAS – April 1, 2011 – On March 30, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Apparently, an unknown cyber ninja (or coven of ninjas) had efficiently and maliciously gained unauthorized access to the Epsilon system and caused, according to Michael Kleeman, a network security expert at the University of California at San Diego, a "massive hemorrhage" of what has heretofore been considered nonpersonal identifying information, yet now is viewed by a growing number of privacy experts as the Social Security Number of the Digital Age -- the email address combined with a name. In other words, the data that consumers provided to many large companies, such as J.P. Morgan Chase, Citibank, Kroger, Target, Best Buy, Disney Destinations and Verizon, could now be in the hands of guys we would never want to friend on Facebook.

(Related article: Giant Data Breach Hits Nation's Largest Banks, Retailers)

If you didn't know anything more than that, it would be horrifying enough. After all, despite thousands of privacy policy disclosures and enormous media attention, most folks don't know (or don't want to know) that information provided to trusted financial institutions, service providers or retail stores is shared with other companies. Again, I'll bet most Americans didn't know that there even was a company called Epsilon. But worst of all, we still don't know, even now, how much information Epsilon really has, or which information was truly hacked. It was publicly announced that, not to worry, only email addresses were stolen. I received several frantic emails from banks with which I have relationships assuring me that only my email address was no longer secure.