The breach at Epsilon, the Dallas online marketing vendor to more than 2,000 businesses, generated a lot of headlines. Should companies be all that worried? 

In one view, this is a much less serious breach than previous heavily publicized breaches, such as the one two years ago that hit Heartland Payment Systems, which processes more than 100 million payment card transactions a month for 175,000 merchants. Now that was a massive breach in which PII was taken. 

One could also minimize the security implications of the breach at Epsilon, which is owned by Alliance Data, by arguing that thieves took only names and email addresses, not PII, which of course really strikes fear and loathing in people. In addition, Alliance Data says that the breach only affected about 2 percent of Epsilon's total client base. 

In this era of Advanced Persistent Threats (APT), however, few security experts will take this incident lightly, especially if you are a client of Epsilon. The fact is that simple email addresses can be profitably exploited by criminals. Email addresses of employees at EMC's RSA unit, for example, were all that the criminals needed to breach RSA's network, potentially compromising RSA's multi-factor authentication technology. 

The fact that the Epsilon hackers accessed information that ties the email addresses of end customers to the businesses with which they interact certainly raises the stakes. This information could be used to craft some very persuasive ruses to compel end customers to click on a link. And that's about all it takes for malware to load. We can only hope client companies take the necessary steps to educate their customers about the breach. Banks and many other companies were forced to issue a warning to their customers, which is never pleasant. They have every reason to be mad, as their reputations were also put at stake.   

Epsilon clients include financial companies like American Express, Ameriprise Financial, Barclays Bank, Capital One, Citibank, City Market, JPMorgan Chase, as well as Best Buy, The College Board, Disney Vacations, Hilton Honors, The Home Shopping Network, Kroger, Marriott Rewards, Ritz-Carleton, TiVo, Verizon and Walgreens, among others. Some think that a phishing scheme aimed at JPMorgan Chase may be the result of the Epsilon hack.

The incident indeed highlights anew that brand risk issues can't be ignored. It's not a surprise that Alliance Data's stock has taken a hit in the aftermath of the breach. The theft was a severe blemish on Epsilon's reputation, and it has no choice but invest heavily in winning back its customers trust. It needs to think this through carefully. Securing its network will merely be the first step on what may be a long road. - Jim