Epsilon: The Most Expensive Data Breach You’ve Never Heard Of

Epsilon: The Most Expensive Data Breach You’ve Never Heard Of

Search for the most expensive data breaches in history, and you’ll see a list of names you’re undoubtedly familiar with: Yahoo ($470 million), Target ($300 million), TJX ($256 million), Sony Playstation Network ($171 million.) But at the top of the list – often in the number one spot – is a firm called Epsilon, which suffered a data breach in 2011 that cost an eye-watering 4 BILLION dollars.  

Who or what is Epsilon?  Why was their data breach so expensive?  And have we learned lessons from it so that we can prevent it in the future?  (Spoiler alert: No.) Let’s delve into the story:

 

First, what makes a data breach expensive?

Data breach costs continue to rise. The average cost of a data breach in 2024 is $4.88 million, which is by no means a small chunk of change. That number begs the question, however; why are some breaches so much more expensive?

According to IBM, there are four key areas that contribute to the expense of a data breach:

Detection and Escalation

Detection is the process of finding the breach and determining its full extent.  It involves tools like SIEM (Security Information & Event Management) and IDR (Intrusion Detection and Response.) Some things to watch out for are odd traffic patterns (like a security camera suddenly passing several gigabytes of data), repeated access requests from an unidentified source, and abnormal data transfers. 

Escalation is the process of letting the correct people in the organization know.  It probably starts with IT and security staff and then branches into legal, product, engineering, senior leaders, etc.  

These may not seem like big hurdles, but consider this: it can take months to discover the true extent of a data breach through thorough investigation.  You have no way of knowing which systems are compromised and which channels are safe, and you risk giving the hackers time to hide more effectively if they are privy to your communications.  You might find yourself having to suddenly invest in tools like encrypted messaging, password managers, or hardware security tokens like PIV (personal identity verification) cards.  

Notification

Notification is how you alert the outside world of the data breach.  From customers to regulators, the sooner you make a statement and share the facts the better.  Being transparent about what data was compromised, providing regular updates on the investigation, and outlining how you will prevent future breaches are all essential elements of your notification strategy.

Post-Breach Response

How are you going to make people feel like they can safely do business with you?  That’s the question your post-breach response has to answer.  Offering things like free credit monitoring, compensation for any fees or financial costs they incur, and clear communication about the steps you’re taking to strengthen your security measures can help rebuild trust.

Lost Business

It cannot be overstated how disruptive a data breach is to a company’s operations.  Everything – development, sales, support, marketing – grinds to a halt while the breach is investigated.  Your customer-facing departments like support and sales will be inundated with questions and complaints.  Forget about future plans and roadmaps – everything is consumed by the data breach.  Customers will churn.  Prospects will disappear or expect incredibly deep discounts.   

With all of these to consider, costs add up rapidly. 

Who is Epsilon?

Founded in 1969, Epsilon was one of the world’s largest marketing firms until it was acquired by Publicis Groupe in 2019. Epsilon is an industry leader in data-driven marketing, consistently ranking among the top firms in the industry.  They boasted clients across several industries:

Financial Institutions: American Express, Citibank, Capital One, Barclays

Retailers: Target, L.L. Bean, Best Buy

Hospitality: Hilton, Mariott

Other large clients: Disney, TiVo, Kroger, Verizon

One of their core services was managing e-mail marketing campaigns, so they had a massive database of e-mail addresses across all of their clients.

What happened?

In April 2011, Epsilon announced that it had been the victim of a data breach. Although it hasn’t released full details of how exactly it happened, the general consensus is that it was a phishing attack. This makes sense, considering these types of attacks are still extremely common. The hackers were able to access Epsilon’s e-mail database and obtained 250 million records from 75 of Epsilon’s clients.  

Although Epsilon quickly alerted its own clients, it left communicating with the actual victims up to them.  This resulted in somewhat inconsistent notifications; Verizon, for instance, took a week to notify their customers, saying they “Wanted to make sure [we] had the most detailed information possible from Epsilon.”

No personal information was compromised, just names and e-mail addresses.  However, this opened the victims up to more targeted e-mail scams; for instance, if you see that a particular e-mail address is associated with Barclay Bank, you can send a series of spear phishing attacks to that specific person that appear more legitimate.  To wit, the perpetrators raked in an estimated $2 million from spam e-mails. 

The Aftermath

3 people were indicted;  two were sentenced and one remains at large and wanted.  Epsilon lost an estimated $45 million in business as clients left in droves; paid out another $127.5 million to victims in a settlement with the Department of Justice, and another $225 million in forensic audits, monitoring, litigation, and more. Total cost of the damage:  $4 billion.  

We’d love to tell you that lessons were learned, security was tightened, and this kind of attack never happened again…..we sure would love to tell you that.  To be fair, this hack did lead to greater awareness of vulnerabilities in databases and an improvement in best practices around security in general.  But overall, the initial method of entry – compromised credentials via a phishing attack – is still one of the most common techniques hackers use today.  In fact, compromised credentials account for 80% of all data breaches.  The smartest thing an organization can do is shift to passwordless authentication – unless they just happen to have $4 billion lying around.