Skip navigation

Oops, I was Right Again: Nothing "Nu" About the Epsilon Affair

So I got this email a couple of weeks ago from a vendor we'll call the Television Sales Network, which was odd, as I'm pretty sure that the only time I ever bought anything from the Television Sales Network was around 1994. My first thought was, "Golly, that's some serious data mining; these guys must be desperate," but then I read the email.

Basically, it said—heck, I'll bet that most of you got one or more of these emails in early April from any number of vendors—"Gosh, we're sorry, but we held onto your email because, well, because we could. Unfortunately, however, we were too lazy to keep track of your email address ourselves despite our very reassuring privacy policy, so we contracted that sorta personal information to a third-party service on the Internet [which, readers will recall, is also known as a "cloud vendor" if the vendor wants to charge more money], and, well, it appears that those cloud guys had just the teensiest data breach, so lots of people who weren't supposed to know your email address now know it, and so you should expect a bunch of spam on this email address that we promised not to let loose on the Internet in the first place. We recognize that we did you harm by carelessly entrusting this piece of your identity and privacy to a vendor that we clearly were too inept and uncaring to monitor, and we are authorized to compensate you by saying, 'we are very sorry.'"

So I sent them back an email in response, as I thought I might be able to offer some useful advice. It ran something like this:

"Nice work, elbows. [It might have been some other body part, I forget—anatomy's never been my long suit.] Just in case it might be of value to you in the future, let me tell you my customer email story.

"Back in 1999, I started collecting email addresses to send out a technical newsletter that I write now and then as a way to offer some free advice and, with hope, to entice people to come to my site, peruse my wares, and possibly buy something. I wanted my customers to trust me, so I clearly stated in my privacy policy that I wouldn't sell their email addresses. In fact, I went so far as to say that inasmuch as they had no real reason to trust me that they should, if they run their own email server, create a special email address just for use in accessing my newsletters so as to be 100 percent sure that I've never sold or ‘lost’ their emails, and in the past twelve years, I never have.

"Now, like you, I didn't want to have to manage an email server, so I looked around at services that would handle the emailing for me. Of course, they couldn't do the job without my giving them my subscriber email addresses, so I asked how they'd protect those addresses. They all basically said, 'Hey, don't worry, we've got highly trained professionals, those emails are as safe as houses.' Realizing that my subscribers would be somewhat annoyed if those email addresses somehow found their way to the spammers of the world and that annoyed subscribers would probably not ever buy products from me—I credit this insight to the two years that I spent in graduate school getting my first Masters' degree in public management—I asked them for some kind of structure of compensatory damages, should such a breach occur. They demurred (which is to say that they chuckled patronizingly—understanding phrases like 'demurred' were another benefit of graduate school), explaining that no one would offer that sort of thing, so I had no choice but to do the emails myself, and so wrote a bunch of code that let me manage broadcast emails. No Epsilon, no breaches.

"My suggestion, if I may offer it, is that next time—assuming that you have enough customers left for there to be a next time—back up your promises with a well-paid in-house staff. Then you can manage them directly, maybe hire some penetration testers every other year or so, and yes, it will cost some money, but you'll never have that yucky sensation you're feeling now, as nobody likes egg on their face.

"I hope this helps. Best of luck in your next venture and hey, would you do me a favor? Take my name and my email off your lists and never, ever contact me again. Thanks!"

More from Mark Minasi:

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.