Epsilon Bingo

This is the first time I've had occasion to examine Data Loss DB's scoping of "fringe incidents". I believe you are underestimating the seriousness of the Epsilon breach (and adopting a narrow definition of PII from wikipedia).

In addition to name and email address, a range of metadata has almost certainly been breached as well. Epsilon may well innocently overlook metadata in its press releases; in my experience many people's understanding of "personal information" is intuitive, not technical, and tends to omit internally generated PII especially event logs and metadata.

At the very least we know that information about each individual's commercial relationships has been obtained. The attackers now know about the banks and hotels and other business used by these people, and that is marketing gold.

A degree of locational information has been exposed as well. We know this because in Australia, Dell has specifically alerted its customers to the problem, while other multinationals like Target and Visa have told the press they are confident there's no problem here. How can they be so sure? Clearly the information at Epsilon must have been organised or tagged in some way geographically. Therefore the attackers also know something about the location of the users in the databases that have been raided.

So already we know it's more than name and email address. For each user, the attackers also know (a) sets of companies which do business with that user, and (b) something about the region they live in.

I am no direct marketing expert but I would be surprised if an email database didn't contain additional metadata, like the age of the records, the quality of the addresses, and some summary history of the transmissions. It's also unlikely that every customer of say Hilton Rewards would get exactly the same direct marketing blurbs, and that means Epsilon has to hold some sort of qualifying attributes about each recipient, which might be locational, or reputational.

Steve Wilson, Lockstep, Sydney, AU.

It's interesting ... there are many reports out there but no one is helping the world be more secure by giving enough details (as with the SilverPop incident) about what the attack vector was. Good reporting would get us more data to better protect our own environments.

NIST defines an email address as PII. Thus, a US government entity that suffered an Epsilon type breach must consider it in the same manner as other data - even if the immediate effects are potentially different.

"One of the most widely used terms to describe personal information is PII. Examples of PII range from
an individual‘s name or email address to an individual‘s financial and medical records or criminal history.

Unauthorized access, use, or disclosure of PII can seriously harm both individuals, by contributing to
identity theft, blackmail, or embarrassment, and the organization, by reducing public trust in the organization or creating legal liability

http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

The Epsilon breach has obligated those affected to disclose and notify. This is the same impact as other PII.

Why is Datalossdb inventing its own definitions like "fringe" when industry has already classified this data type?

The problem now emerging with the Epsilon breach is the direct association of impacted individuals and their relationships to providers - including very specific drug treatment categories such as HIV as emerged yesterday in the press.

This association can have grave privacy consequences and thus email addresses can in fact result in much wider consequential damage.

The Epsilon breach is huge in its scale, and the stolen data has a material cash value in the hands of an attacker. I would strongly encourage datalossdb.org to consider this as a mainstream breach, not a fringe category.

Agree with previous posts. As a GRC professional with over 10 years of experience in the financial industry, I can attest that names and email addresses are considered PII. Even members of Congress have opened inquiries into this breach. Definitely not a "fringe" category.

IN Datalossdb's defense, however, there is no "consistent" definition of PII.

I always use this rule: If I can look at the information and identify an individual, then it is PII. So, in this example, how many other people would have my name and my email address? If the answer is less than 2, it's PII.

It's odd that DatalossDB hasn't updated its editorial about Epsilon. Perhaps you're busy sorting out Sony!
But seriously, many of us believed DatalossDB underestimated the seriousness of the Epsilon incident from the get-go. But since then, it has emerged that more metadata was also lost such as indications of the drug company products that named persons had registered interest with.
So above and beyond the Anonymous point above that NIST would have treated this breach as more serious, surely the extra metadata means this is more grave than a "fringe" event?
Steve Wilson, Lockstep, Sydney, AU.

Thank you for all of the comments regarding the Epsilon breach. It is dialogue like this that helps us to improve DataLossDB and provide valuable information for the security industry.

Personally, while I believe the breach was bad, I must admit that I find it very amusing that people are so upset about names and email addresses being exposed. As we mentioned, without question the risk of Spear Phishing is increased. However, let’s think for a quick moment: did you think that your email address was really private before? Were you not getting spam before Epsilon? Do you really treat your email address like a Social Security number or Credit Card number? Being honest, have you never written your email address down on some raffle ticket card and thrown it in a bucket hoping to win a prize? =)

All kidding aside, we completely agree that “context” is king when it comes to determining if something like names and email addresses are a “fringe” incident. When we first approved the Epsilon incident, if you believe the company’s notice, there were no indications whatsoever that anything further was exposed other than names and email addresses. While we haven’t necessarily been 100% consistent (some older name/email incidents were entered before the ‘Fringe’ category existed), we do have other incidents in DataLossDB that are names and email address where it is very clear that in context there is related to a medical condition or other information that is considered sensitive. Examples of this:
http://datalossdb.org/incidents/3046-669-email-addresses-accidentally-exposed-in-email
http://datalossdb.org/incidents/3684-937-patients-names-and-email-addresses-exposed-in-email-error

We also have many other incidents that are similar to Epsilon that no one has complained about (yet) that are labeled “fringe”. Here are some examples:
http://datalossdb.org/incidents/3012-4-000-000-user-names-and-email-addresses-stolen-in-hack
http://datalossdb.org/incidents/48-92-million-email-addresses-for-30-million-subscribers-sold-to-spammers
http://datalossdb.org/incidents/3654-names-and-email-addresses-used-to-send-phishing-email-to-customer-email-list

As for the definition of PII, we typically go by the GLBA definition, and linking to Wikipedia was just us trying to add some more discussion to the post.

However, saying NIST includes email addresses and therefore you should include it as PII is just silly. If there was a list of email addresses that also included SSN or Credit Card numbers then that makes sense. Basically we agree that replacing name for an email address as the unique identifier is legitimate PII. In that document, NIST also says “Telephone numbers, including mobile, business, and personal number” is PII. Are you saying that because NIST says this, then a phonebook is now considered PII as well? If only names and mailing addresses were breached would you include that as PII just because NIST says so in its “guidelines”. If so, then every single phone book dropped on your front door is an incident that should be added as well. That seems a bit far reaching.. right?

Steven, one could argue that you give more information away on your public LinkedIn profile that could be used for evil than a name and email address. By going to your company’s website you freely give away your email address for people to contact you. Do people honestly think less than two people have their name and email address?

Back to Epsilon; if names and email addresses were breached along with something sensitive (e.g., inclusion in a specific mailing list that is confirmed HIV treatment patients), then we would consider that a breach of medical information and certainly considered a full incident in DataLossDB. Have we 100% confirmed that this is the case? If you guys can share some solid media references where it is confirmed that Epsilon has lost medical information we would definitely convert this to a full incident. All we have read so far is speculation based on the GlaxoSmithKline post saying if you signed up for prescription information, that was breached. And for the record, at some point we do think it will be confirmed that PII was breached but we simply haven't seen evidence yet.

As we try to have the most complete and accurate information, it is important to note that we make as few assumptions about incidents or what was compromised as possible to manage incidents. While in many cases we completely agree that “other” data was *likely* compromised, if we don’t have grounded facts that point to it then it is not included. DataLossDB does not include incidents or events based on what we guessed was breached.

As security professionals we need to make sure that we continue to push for better security controls, hold companies accountable for incidents but at the same time not blow things out of proportion. And yes, sorry for the delayed response but we are busy working on the database adding new incidents everyday. We would welcome help from anyone willing to put some time into the project to help improve the data.

By the way, just so it is clear, OSF views names and passwords as a full incident and not “fringe”. And that upsets a whole other set of other people! Good times for all!

I agree you guys cannot and should not speculate about data breach details, and I apologise if I implied that you should rate the Epsilon breach according to the likelihood that other data was lost. Yet from the outset it seemed obvious to me that metadata to do with individuals’ relationships with hotels, banks, airlines and so on was also involved, so the breach was more than names & email addresses.
But I want to concentrate if I may on the definition of PII and the threshold you set yourselves for the seriousness of PII. I actually cannot find a consistent formal definition of “Personally Identifiable Information”, even in the GLBA. I am going to assume that PII is more or less the same as the term "Personal Information" which is precisely defined and consistently used in jurisdictions like Australia. To wit:
"Personal Information is information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information"
That is, any information at all about me that is associated with my name, is counted as PII. That might be "Steve's shoe size is 9". Or "Steve's email address is swilson@lockstep.com.au". And PII includes metadata like the name of a file that includes my email address and associates it with a pharmaceutical drug of interest.
It seems to me in this case that you want to weight the identification of PII according to some level of certainty that I am actually taking a given drug, versus having a passing interest in it. You would then be buying into a complex exercise of subjective analysis. It is surely better set a low and objective bar and not try to second guess just sensitive the information is.
You say that NIST's approach regarding email address is "silly" and you make your own judgement that name + email address needs to be augmented by extra info, like SSN, for it to be counted as 'personal'. Isn't this arbitrary? Especially given that some e-mail addresses are clearly more revealing than others: a free cloud email address mickeymouse@cloud.xyz might be anonymous and would not qualify as PII, whereas corporate addresses like swilson@lockstep.com.au not only name me but indicate my employment too. Where do you draw the line? Why draw a line at all?
Finally, my disclosing details to a social networking site does not in any way alleviate the obligations of companies under privacy principles. LinkedIn and Epsilon are poles apart. I willingly tell my professional life story on LinkedIn for a specific purpose, and LinkedIn has a Privacy Policy that circumscribes what they do with my PI. With Epsilon, few people even knew their details had been exported from the hotels, banks and pharma companies! They had no opportunity to consent or to understand how their personal information was flowing. From now on, a proportion of consumers are likely to seek alternative arrangements, instead of having their unique email address and association with multiple businesses exported to mass mail bureaus.
As for telephone books, I think that’s not an issue. Paying for a phone service involves clearly understood conventions about having one’s name, address and number published, and there is the option of silent numbers. So yes, a phone book is absolutely PII, but it’s a collection that is clearly consented to.
Steve Wilson
@steve_lockstep
Lockstep, Sydney, AU.

Jkouns,

I respectfully disagree with your interpretation of GLBA. The FTC has been VERY clear that PII is any information that identifies an individual (which doesn't necessarily mean it is NOT accessible from public sources). You appear to be confusing PII and "nonpublic personal information" which is what the GLBA is regulating financial institutions to protect.

I agree that not all PII has to be treated like a credit card number or social security number; however, the intent of information not its source is what dictates what should be maintained as private and what is not. Just because my name or email address might be accessible in some public database somewhere doesn't give any business the right to post it whilly nilly and forgo privacy protection responsiblities. Beyond GLBA there are still state laws, the FTC Act, etc...

Yes, peoples names and phone numbers are in an big book that gets dropped at my door; however, as Steve was alluding to, I also have the right to contact the phone company to have my name and phone number removed from that book. Thus, it is no longer publicly available. In other words, I consent and have an established reason for making certain data about me publicly available.

This is such a common flaw in our industry of categorizing information incorrectly and not clearly understanding the difference between PII and public information. Here are the terms I use (all of which are different):

Personal Information: Information that is about me as an individual.

Personally Identifiable Information: Information that identifies a single individual.

Nonpublic Personal Information: Information about an individual that is not intended to be public (INTENT not SOURCE!)

Personally Identifiable Financial Information: Think credit card numbers, social security numbers, etc...

Public Information: Information that is intended to be made public.

@Anonymous: Perhaps my view is a different perspective than most regarding HIPP, GLBA, etc ..... I think the legislation gives the appearance of protecting an individual's privacy. In reality, it outlines a number of organizations and reasons the data can go flow without violating legislation.

I refuse to sign any HIPPA agreements when I go to the doctors - take a look at who your provider is allowed to share with. The same is true with GLBA among financial services. HIPPA and GLBA are a license to practically give away personal information.

The result: you don't have to worry about one provider (say, your doctor or IRA Administrator). You have to worry about the Practice or IRA firm and everyone they have been allowed to share. Oh, and they don't have to tell you they did it.

Jeffrey Walton