The Epsilon Breach: Inference and Exaggeration
News about the Epsilon breach has spread relatively slowly. The breach of data held by an email service provider is bad—no question—but it’s not terribly consequential. Emails aren’t generally kept private.
But the Epsilon story may soon heat up. The presence of an email address on a list creates inferences about aspects of a person’s life that may be sensitive. So it is with GlaxoSmithKline’s lists related to prescriptions. As the Coalition Against Unsolicited Commercial Email points out, correlation between email addresses and interest in particular drugs makes spear-phishing attacks more potent. Fraudulent email that is tailored to a medication a person takes will have a higher uptake than average, and could be used to defraud people on matters relating to their health.
But is it helpful to exaggerate this serious threat? CAUCE titles its post: “Criminals Now Know What Prescriptions You Take.” Thought leaders like Jules Polenetsky have picked up that meme and run with it.
For people who are not data-literate, a likely implication of “criminals know what prescriptions you take” is that criminals have access to lists of the prescriptions they take. A person on ten different medications might think that criminals know each and every prescription he or she takes. That’s more frightening than knowing that an association between one or two prescriptions and an email address is available to criminals. (It’s possible that people have signed up for email relating to each of their prescriptions, all of which are from drug companies who use Epsilon as their email service provider, but I think it is unlikely and rare enough to treat as an irrelevant outlier.)
What criminals know is that people are on lists related to prescriptions. Many do take that prescription. Some used to take that prescription. Some have a loved one who takes it, some sell it, some prescribe it, and so on.
What’s the point of this observation? Not much. But under the rule of media and politics—”if it bleeds, it leads”—we may soon see a media and policy stampede. That stampede will treat an important security issue that deserves careful attention as a techno-cyber-apocalypse that demands immediate overreaction.