Texas spent $1.2 million to notify individuals - as many as 3.5 million - whose personal information were exposed, $393,000 to established a call center and $290,000 to retain two IT consultants to examine the agency's IT security policies and procedures.
While the cause of the Epsilon e-mail breach has not been publicly disclosed, the incident's aftermath has seen a growing list of organizations impacted by the breach. It also has ignited a new debate about the sensitivity of e-mail addresses.
The latest Verizon Data Breach Investigations Report is out, and the good news is: The number of compromised records is down. The troubling news is: The number of breaches is up. Bryan Sartin, one of the report authors, explains why.
As details about the Epsilon e-mail breach unfold, the list of affected companies grows, including major banks and merchants. Here is the latest list of the companies known to have been impacted by the incident.
The Social Security Administration sold the information in a database of deceased individuals that erroneous contained the Social Security numbers, dates of birth, full names and ZIP codes of living people, the inspector general reports.
"Although we have made good progress in creating information sharing entities, to share information securely and efficiently, we have not adequately tackled the critically important issues associated with the timeliness and completeness of information," Financial Services Sector Coordinating Council Chair Jane Carlin...
State agencies transferred information containing unencrypted, personal information to unsecured servers between January and May 2010, but the exposure was not discovered until two weeks ago, Texas Comptroller Susan Combs says.
It's serious news that RSA's SecurID solution has been the target of an advanced persistent threat. But "It's not a game-changer," says Stephen Northcutt, CEO of SANS Institute. "Anybody who says it is [a game-changer] is an alarmist."
The federal government's official tally of major health information breaches now confirms the recent Health Net incident affected 1.9 million individuals, making it the largest breach on the list. Meanwhile, at least four state agencies are now investigating the incident.
When it comes to e-marketing and the reliance on third parties such as Epsilon, Nicolas Christin of Carnegie Mellon University says banks and merchants should "come clean" about the information they share with outside entities.
Communicating with customers about the incident and warning them not to click links in phishing e-mails are all these impacted institutions and companies really can do, says Jeremiah Grossman, chief technology officer of WhiteHat Security.
Privacy Attorney Lisa Sotto says the Epsilon e-mail breach is a warning about the state of data security employed by some third-party service providers. Strong contracts related to security practices must be the norm, not the exception.
"Persistent" is the operative word about the advanced persistent threat that has struck RSA and its SecurID products. "If the bad guys out there want to get to someone ... they can," says David Navetta of the Information Law Group.