A pair of massive data breaches have illustrated that marketing services firms, trusted to manage the email campaigns of major businesses, have become a high-value target of cybercriminals aiming to steal valuable information that easily can be monetized.
Companies such as Epsilon and Silverpop work with some of the world's largest companies and maintain vast databases of customer information, making them an especially attractive target, said Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon University in Pittsburgh.
Breaking into just one of these repositories yields scores of customer data belonging to potentially hundreds of clients, he said.
A list of active email addresses, especially of Epsilon-like magnitude, is a valuable asset that can be sold to organized criminal groups who make money redirecting recipients to spam websites, said Lance James, director of intelligence at security monitoring solutions provider Vigilant. Stolen email lists also can be used to pull off targeted phishing attacks that introduce malware into organizations.
The recent theft of email addresses from Epsilon, one of the world's largest email marketers, affects dozens of major banks and retailers, and followed a similar exposure at rival marketing firm Silverpop.
“These hackers are...seeing they aren't getting stopped and that nobody's coming after them,” James said.
With no repercussions, the hackers now clearly have moved on to bigger and more valuable targets, which appear just as vulnerable as smaller marketers, he said.
Epsilon is not forthcoming with information about how the breach occurred, Christin said. “They probably don't want to tell us what happened, either because they don't have a clue or because their whole system isn't that secure.”
Gartner VP and distinguished analyst Avivah Litan said criminals also are actively targeting other types of businesses that maintain huge lists of consumer information, such as financing agencies, bill collectors and leasing agents.
“Cybercriminals are trending toward targeted attacks and getting as much information as possible to conduct those,” she said.
Before outsourcing information to third parties, organizations must assess the risks associated with that data and ensure it will be adequately protected, said Richard Mackey, VP of consulting at SystemExperts.