When hackers breached Epsilon's servers in late March, millions of email addresses were exposed. The email addresses belonged to customers of such well-known firms as Citi, Walgreens, TiVo, Kroger and JP Morgan Chase, among others. Though the firms affected were quick to note that only names and email addresses were exposed, security pros pointed out that the information could be used to carry out targeted phishing attacks.
Customers whose information may have been compromised were warned to keep an eye out for suspicious emails purporting to be from the companies with which they already did business. For about a week, every day brought an announcement from another corporate customer of Epsilon's email marketing services that had been impacted by the breach. But just as quickly, the Epsilon breach faded into the background as more immediate security news took precedence.
Until this weekend. According to a press release published by Reuters, a new study by cyber analytics and intelligence specialist CyberFactors reveals the breach could actually cost Epsilon upwards of $200 million. And nearly one quarter of that cost results from lost business.
The total cost of the Epsilon breach-including forensic audits and monitoring, fines, litigation and lost business for provider and customers-could eventually run as high as $3 billion to $4 billion, given that the compromised e-mail addresses could be used by hackers and phishers to gain access to sites that contain consumers' personal information.
Some experts say the breach is another indication that security in the cloud still isn't where it should be. Regina Clark, research and analytics director for CyberFactors, noted:
[T]he Epsilon event suggests a much more profound financial risk environment is now upon us. Cloud companies would be wise to think more like banks, insurance companies and hedge funds, and not just aggregators of the world's precious data and technology dependencies.