On March 30, 2011 Epsilon, a subsidiary of Alliance Data Systems Corporation (NYSE: ADS), discovered an intrusion into their network which has  the potential to become one of the largest data breaches. As a result of the intrusion, proprietary
marketing/customer information of Epsilon’s clients
was exposed to an unauthorized source. Epsilon has assured the public that only names and e-‐mail information was stolen. Although Epsilon
is disclosing the companies affected represent only
2% of their customer base, it has not yet been
disclosed the percentage of total e-­‐mail addresses that have been accessed. Approximately 50 companies have contacted affected customers with warnings regarding possible “phishing” e-­‐mails. Epsilon has yet to disclose the details related to the intrusion due to ongoing investigations.

Analysis

The persons impacted by these hacked email addresses now carry the cost, uncertainty, and duress of being potential victims of business profits over privacy and security. Epsilon will feel this financial pain for years as did TJX and Heartland Payment systems, but the costs will likely be that much greater because this event occurred in 2011 and the majority of Epsilon clients may never have insured for this massive data spill and resulting liabilities. The collateral damage could be massive from the pending spear phishing attacks beginning to appear. In the absence of the engagement contracts between Epsilon and the impacted companies, the assumption is that ultimately Epsilon will bear the resulting costs for all of the impacted accounts regardless of any indemnification language in those contracts. Read the rest of the article here